[Shib-Users] opensaml::FatalProfileException()

832 views
Skip to first unread message

ssuri

unread,
May 10, 2011, 12:43:44 PM5/10/11
to shibbole...@internet2.edu
Hi All
Am doing Authentication with Remote User and getting the error.
A valid authentication statement was not found in the incoming message.

I checked the log file and getting the following logs

2011-05-10 20:25:32 INFO XMLTooling.SecurityHelper : loading certificate(s)
from file (E:/Shibboleth/Shibboleth-sp/etc/shibboleth/sp-cert.pem)
2011-05-10 20:25:32 INFO Shibboleth.Listener : registered remoted message
endpoint (default::getHeaders::Application)
2011-05-10 20:25:32 INFO Shibboleth.Listener : listener service starting
2011-05-10 20:27:26 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate name
was not acceptable
2011-05-10 20:27:26 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable
to verify message signature with supplied trust engine
2011-05-10 20:27:26 WARN Shibboleth.SSO.SAML2 [1]: detected a problem with
assertion: Message was signed, but signature could not be verified.

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/opensaml-FatalProfileException-tp6348606p6348606.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

Cantor, Scott E.

unread,
May 10, 2011, 12:57:57 PM5/10/11
to shibbole...@internet2.edu
On 5/10/11 12:43 PM, "ssuri" <testpl...@gmail.com> wrote:
>I checked the log file and getting the following logs

The IdP's metadata is wrong, or it's using the wrong key.

-- Scott

ssuri

unread,
May 12, 2011, 7:36:33 AM5/12/11
to shibbole...@internet2.edu
Hi Scott,
As you said i have checked my key as well as Metadata for both SP and IDP.
When i change handler.xml

<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="C:\IDP_HOME/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</ph:AuthenticationMethod></ph:LoginHandler>

i can see my login screen.
But when i change it to

<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</ph:AuthenticationMethod> </ph:LoginHandler>

then it shows me the error

opensaml::FatalProfileException
The system encountered an error at Thu May 12 16:41:50 2011
To report this problem, please contact the site administrator at
root@localhost.
Please include the following message in any email:
opensaml::FatalProfileException at
(https://sp.abc.org/Shibboleth.sso/SAML2/POST)

A valid authentication statement was not found in the incoming message.

I checked twice all my keys and Metadata of both SP and IDP, still i'm
getting the same error.
Any help will be appreciated...

Thanks.

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/opensaml-FatalProfileException-tp6348606p6355428.html

Cantor, Scott E.

unread,
May 12, 2011, 9:59:14 AM5/12/11
to shibbole...@internet2.edu
>But when i change it to
>
><ph:LoginHandler xsi:type="ph:RemoteUser">
><ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecifie
>d
></ph:AuthenticationMethod> </ph:LoginHandler>
>
>then it shows me the error

The error means it's authenticating the user at the IdP and then failing
for the reason that I already told you it was.

>I checked twice all my keys and Metadata of both SP and IDP, still i'm
>getting the same error.

Well, it's still wrong. It wouldn't fall into PKIX checking unless the key
in the metadata didn't match what was used.

-- Scott

Reply all
Reply to author
Forward
0 new messages