[Shib-Users] can't establish identity of issuer
Rampage
i'm pretty new to shibboleth and i'm trying to use the SP to implement a
single sign-on solution with a idP that is third party provided.
yet i'm experiencing this issue, when a user tries to login, the page is
redirected to the IdP page then back to my server but this error is
returned:
The identity provider supplying your login credentials is not authorized for
use with this service or does not support the necessary capabilities.
and in my shibd.log i find this error:
2011-03-27 19:45:41 WARN OpenSAML.MessageDecoder.SAML1 [3]: no metadata
found, can't establish identity of issuer
(https://idpcrl.crs.lombardia.it//scauth)
the authentication is supposed to happen using a smartcard
the metadata file and the attributes are provided by the idp and also the
root CA certificates.
what i've noticed is that the metadata file has this string:
validUntil="2010-06-03T00:00:00Z">
which is obviously expired.
i've verified the validity of the root CA certificates and they expire in
2016
so i've tried modifying the validuntil parameter to the expiration date of
the certificates, but this didn't solve my problem.
for convenience here is the metadata file
<?xml version="1.0" encoding="UTF-8"?>
MIIEkDCCA3igAwIBAgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJJVDEV
MBMGA1UEChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0
aWZpY2F6aW9uZTEdMBsGA1UEAxMUTElTSVQgQ0EgZGkgU2Vydml6aW8wHhcNMDQw
OTAyMTQ1OTQ4WhcNMTYwOTAyMTQ1ODA0WjBoMQswCQYDVQQGEwJJVDEVMBMGA1UE
ChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0aWZpY2F6
aW9uZTEdMBsGA1UEAxMUTElTSVQgQ0EgZGkgU2Vydml6aW8wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC/vb2Sb3EiCu7TQO26R+SUM7IHTREJMUMqy148
mcdEe9aZ9kY7M6ZtcZ4zsc3mGT13ZWB5OPQsL7+1yyK5/BnIen0imUlZzhYBbUqL
TkvOKyJYSORJlrKZ4Be6Sm1N99LxPr/G5ckkZq5H2yvFt8XBaQkUNNAJBksJbu7N
P7kWBRfbvicdr+2QCe4HjUiMLEUqHxq/X8d1whFBHRGltcfEfX76/LJpMwa1DUR8
rJfFD4bVKjIZFG9HugN9YAnYnzP2lVrEcuRecuySefirvSmEkWMAQVy+Xn/DwOr/
bdPsrJatqyyHusHlep6FPNVmfbboEF/3eqRnMbRrT0R8rOpBAgMBAAGjggFDMIIB
PzASBgNVHRMBAf8ECDAGAQH/AgEAMEcGA1UdIARAMD4wPAYJKwYBBAG8bhMCMC8w
LQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cubGlzaXQuaXQvZmlybWFkaWdpdGFsZTCB
sAYDVR0fBIGoMIGlMIGioIGfoIGchoGZbGRhcDovL2xkYXAuY3JzLmxvbWJhcmRp
YS5pdC9jbiUzZExJU0lUJTIwQ0ElMjBkaSUyMFNlcnZpemlvLG91JTNkU2Vydml6
aW8lMjBkaSUyMGNlcnRpZmljYXppb25lLG8lM2RMSVNJVCUyMFMucC5BLixjJTNk
SVQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlMA4GA1UdDwEB/wQEAwIB
BjAdBgNVHQ4EFgQUhM2xLxyr0IvPev7BvFewih0OhQswDQYJKoZIhvcNAQEFBQAD
ggEBAG+nIGrRPLttAA3tB9Hk5X3OfAjmFJPkd1Ggm2cXOTqEPsxB7gXxuVNtRCh8
z/D+83onq1Nx3YQNrbMqEdPgmkc5qGu5XFJewHuZanJJtjpFauHVovIuV+GcMzBP
l/iu268LBzb+9AWO/GxE8M7Ay0XfMWwjtStk6Xg/lDFO8TOBrMutpw8TUU2aC1Gb
XQmIaLoySfLQbo7kopT56GvPwt+45JzuumnK+ZZZd1euDWPcXhcgY3xsyvzHFM0b
vf9ON3HIEIJhowpePNewqbvT3KirS0dxMUQLkl7TacOKRomWbskBqFWOFzC9SRWj
b7vPkU0R5NsEsYRLyvekQS5+K9g=
MIIErjCCA5agAwIBAgIBATANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJJVDEV
MBMGA1UEChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0
aWZpY2F6aW9uZTEqMCgGA1UEAxMhTElTSVQgQ0EgU2Vydml6aW8gZGkgSW50ZWdy
YXppb25lMB4XDTA0MDMwMzA4NTEwMFoXDTE2MDMwMzA4NTAwOVowdTELMAkGA1UE
BhMCSVQxFTATBgNVBAoTDExJU0lUIFMucC5BLjEjMCEGA1UECxMaU2Vydml6aW8g
ZGkgY2VydGlmaWNhemlvbmUxKjAoBgNVBAMTIUxJU0lUIENBIFNlcnZpemlvIGRp
IEludGVncmF6aW9uZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUe
vtR0HPzpam1LeDvLbGQyD9eV/E0llmu7jJ1rsciXl5G/oLo44sDhr8sGxzjFFXrw
UeyCuqN0HPWne0wH3dmMZLMLOjqHM0XldARcE8LcPgu87VH7Uhn1/Y/ez5uLqVeq
5Rho8YUI+hHX2Ak/3epgapgoVNDe5OwX3z1ThtnuJTz99BG3nJPhWM6GsrKXODte
H81f1YZ0ns5gNuLh8WqoMx53tORI+jb/mcjEG18FYXUEP0dx6Yki99eb5J5HNmwc
bfNYJ5PYve61ftFgS8MYyYBREa+Mwin4bsKnNhzOwLdhzAISNyCf1+DJUIrJGfEv
GAwk4kLGMP+hd93+Sb8CAwEAAaOCAUcwggFDMBIGA1UdEwEB/wQIMAYBAf8CAQAw
PAYDVR0gBDUwMzAxBgkrBgEEAbxuFQIwJDAiBggrBgEFBQcCARYWaHR0cDovL3d3
dy5saXNpdC5pdC9jYTCBvwYDVR0fBIG3MIG0MIGxoIGuoIGrhoGobGRhcDovL2xk
YXAuY3JzLmxvbWJhcmRpYS5pdC9jbiUzZExJU0lUJTIwQ0ElMjBTZXJ2aXppbyUy
MGRpJTIwSW50ZWdyYXppb25lLG91JTNkU2Vydml6aW8lMjBkaSUyMGNlcnRpZmlj
YXppb25lLG8lM2RMSVNJVCUyMFMucC5BLixjJTNkSVQ/Y2VydGlmaWNhdGVSZXZv
Y2F0aW9uTGlzdD9iYXNlMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzepn46KJ
1CHPfbR0GKlov1FmmowwDQYJKoZIhvcNAQEFBQADggEBAANDWUaeNAz77HTC7dD/
Z3AV4fuLMmJlI3gZrCfwrz3RWYqIHFeKPQdU163Vjq5DuVMxU3A+NCySoCgtNmGo
uPE87+E4rY30TueHJ1FMpYLXBvHZCxFmcBQz/pIv/Sahs546mZBGfxPG+su81r8S
3PWwpR+/B5QDg7Yr7ijLTS+f3jc3mwormgwtpOqoSNtRs6j+EyDlZEExZ4IMykMC
qvr0Bh4m68GThoVe4fcafbCGoSWssgFUJY0ny5EUkqpZKItgCUuiyVTIS2l3GbOZ
YrF7OW3iUHcfi4QP2J5BXiC+7eCt46Y6MICw+ffTuEmf62b5VjhkNdo3oHDgx2gi
eeU=
Lisit S.p.A./ITSIDPCRL/vl18833/18136
CN=LISIT S.P.A./168637,OU=U.O.
Sviluppo,O=Altri Certificati,C=IT
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
any suggestions?
thanks in advice.
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6212874.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Nate Klingenstein
The metadata file didn't come through successfully, but the error
message is pretty clear. Either the metadata is expired(as you
noticed), or the IdP's entityID doesn't match any entityID that is in
the metadata. If the metadata was signed and you modified the
expiration date, it will still fail to load.
You'll see any failure to load the metadata successfully on startup of
the SP.
Take care,
Nate.
Rampage
2011-03-27 23:07:30 INFO Shibboleth.Listener : listener service shutting
down
2011-03-27 23:07:30 INFO Shibboleth.Config : shibboleth 2.0 library shutting
down
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin::getHeaders::Application)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/Login::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/Login::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/WAYF::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/WAYF::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/DS::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/DS::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SAML2/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SAML2/POST-SimpleSign)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SAML2/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SAML2/ECP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SAML/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SAML/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/Logout::run::SAML2LI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/Logout::run::LocalLI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SLO/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SLO/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SLO/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/SLO/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/NIM/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/NIM/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/NIM/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/NIM/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/Artifact/SOAP::run::SAML2Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/Metadata)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (admin/Status)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default::getHeaders::Application)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/Login::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/Login::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/WAYF::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/WAYF::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/DS::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/DS::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SAML2/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SAML2/POST-SimpleSign)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SAML2/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SAML2/ECP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SAML/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SAML/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/Logout::run::SAML2LI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/Logout::run::LocalLI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SLO/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SLO/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SLO/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/SLO/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/NIM/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/NIM/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/NIM/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/NIM/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/Metadata)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (default/Status)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs::getHeaders::Application)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (run::AssertionLookup)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/Login::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/Login::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/WAYF::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/WAYF::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/DS::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/DS::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SAML2/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SAML2/POST-SimpleSign)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SAML2/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SAML2/ECP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SAML/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SAML/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/Logout::run::SAML2LI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/Logout::run::LocalLI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SLO/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SLO/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SLO/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/SLO/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/NIM/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/NIM/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/NIM/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/NIM/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/Artifact/SOAP::run::SAML2Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/Metadata)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (test-crs/Status)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (find::StorageService::SessionCache)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (remove::StorageService::SessionCache)
2011-03-27 23:07:30 INFO Shibboleth.Listener : unregistered remoted message
endpoint (touch::StorageService::SessionCache)
2011-03-27 23:07:30 INFO XMLTooling.StorageService : cleanup thread finished
2011-03-27 23:07:30 INFO XMLTooling.XMLToolingConfig : xmltooling 1.0
library shutdown complete
2011-03-27 23:07:30 INFO OpenSAML.SAMLConfig : opensaml 2.0 library shutdown
complete
2011-03-27 23:07:30 INFO Shibboleth.Config : shibboleth 2.0 library shutdown
complete
2011-03-27 23:07:30 INFO Shibboleth.Config : building ListenerService of
type UnixListener...
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (set::RelayState)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (get::RelayState)
2011-03-27 23:07:30 INFO Shibboleth.Config : building StorageService (mem)
of type Memory...
2011-03-27 23:07:30 INFO XMLTooling.StorageService : cleanup thread
started...running every 900 seconds
2011-03-27 23:07:30 INFO Shibboleth.Config : building ReplayCache on top of
StorageService (mem)...
2011-03-27 23:07:30 INFO Shibboleth.Config : building in-memory
ArtifactMap...
2011-03-27 23:07:30 INFO Shibboleth.Config : building SessionCache of type
StorageService...
2011-03-27 23:07:30 INFO Shibboleth.SessionCache : bound to StorageService
(mem)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (find::StorageService::SessionCache)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (remove::StorageService::SessionCache)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (touch::StorageService::SessionCache)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (run::AssertionLookup)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Login::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Login::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/WAYF::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/WAYF::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/DS::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/DS::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/POST-SimpleSign)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/ECP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Logout::run::SAML2LI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Logout::run::LocalLI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SLO/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SLO/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SLO/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SLO/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/NIM/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/NIM/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/NIM/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/NIM/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Metadata)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Status)
2011-03-27 23:07:30 INFO Shibboleth.Application : building MetadataProvider
of type Chaining...
2011-03-27 23:07:30 INFO Shibboleth.Application : building TrustEngine of
type Chaining...
2011-03-27 23:07:30 INFO XMLTooling.TrustEngine.Chaining : building
TrustEngine of type ExplicitKey
2011-03-27 23:07:30 INFO XMLTooling.TrustEngine.Chaining : building
TrustEngine of type PKIX
2011-03-27 23:07:30 INFO Shibboleth.Application : building
AttributeExtractor of type XML...
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : loaded XML resource
(/etc/shibboleth/attribute-map.xml)
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:mace:dir:attribute-def:eduPersonPrincipalName
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.6
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:mace:dir:attribute-def:eduPersonAffiliation
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.1
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:mace:dir:attribute-def:eduPersonEntitlement
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.7
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:mace:dir:attribute-def:eduPersonTargetedID
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2011-03-27 23:07:30 INFO Shibboleth.Application : building AttributeFilter
of type XML...
2011-03-27 23:07:30 INFO Shibboleth.AttributeFilter : loaded XML resource
(/etc/shibboleth/attribute-policy.xml)
2011-03-27 23:07:30 INFO Shibboleth.Application : building AttributeResolver
of type Query...
2011-03-27 23:07:30 INFO Shibboleth.Application : building
CredentialResolver of type File...
2011-03-27 23:07:30 ERROR XMLTooling.CredentialResolver.File : key file
(/etc/shibboleth/sp-key.pem) can't be opened
2011-03-27 23:07:30 CRIT Shibboleth.Application : error building
CredentialResolver: FilesystemCredentialResolver can't access key file
(/etc/shibboleth/sp-key.pem)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (default::getHeaders::Application)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (run::AssertionLookup)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/Login::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/Login::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/WAYF::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/WAYF::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/DS::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/DS::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SAML2/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SAML2/POST-SimpleSign)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SAML2/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SAML2/ECP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SAML/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SAML/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/Logout::run::SAML2LI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/Logout::run::LocalLI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SLO/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SLO/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SLO/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/SLO/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/NIM/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/NIM/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/NIM/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/NIM/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/Artifact/SOAP::run::SAML2Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/Metadata)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin/Status)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (admin::getHeaders::Application)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (run::AssertionLookup)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/Login::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/Login::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/WAYF::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/WAYF::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/DS::run::SAML2SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/DS::run::Shib1SI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SAML2/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SAML2/POST-SimpleSign)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SAML2/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SAML2/ECP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SAML/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SAML/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/Logout::run::SAML2LI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/Logout::run::LocalLI)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SLO/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SLO/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SLO/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/SLO/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/NIM/SOAP)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/NIM/Redirect)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/NIM/POST)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/NIM/Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/Artifact/SOAP::run::SAML2Artifact)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/Metadata)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs/Status)
2011-03-27 23:07:30 INFO Shibboleth.Application : building MetadataProvider
of type XML...
2011-03-27 23:07:30 INFO OpenSAML.MetadataProvider.XML : loaded XML resource
(/etc/shibboleth/IdPCRL-metadata.xml)
2011-03-27 23:07:30 INFO Shibboleth.Application : building TrustEngine of
type PKIX...
2011-03-27 23:07:30 INFO Shibboleth.Application : building
AttributeExtractor of type XML...
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : loaded XML resource
(/etc/shibboleth/IdPCRL-attribute-map.xml)
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute userID
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute CNS_CARTA_REALE,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute CNS_ISSUER,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute CNS_SUBJECT,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute nome, Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute cognome,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute codiceFiscale,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute sesso,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute dataNascita,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute luogoNascita,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute provinciaNascita,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute statoNascita,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute indirizzoResidenza,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute capResidenza,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute cittaResidenza,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute provinciaResidenza,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute statoResidenza,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute cartaIdentita,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute idComuneRegistrazione,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute emailAddress,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute titolo,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute cellulare,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute telefono,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute lavoro,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute pin, Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute password,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute indirizzoDomicilio,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute capDomicilio,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute cittaDomicilio,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute provinciaDomicilio,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute statoDomicilio,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.AttributeExtractor : creating mapping
for Attribute domicilioElettronico,
Format/Namespace:https://idpcrl.crs.lombardia.it//scauth
2011-03-27 23:07:30 INFO Shibboleth.Application : building AttributeFilter
of type XML...
2011-03-27 23:07:30 INFO Shibboleth.AttributeFilter : loaded XML resource
(/etc/shibboleth/IdPCRL-attribute-policy.xml)
2011-03-27 23:07:30 INFO Shibboleth.Listener : registered remoted message
endpoint (test-crs::getHeaders::Application)
2011-03-27 23:07:30 INFO Shibboleth.Listener : listener service starting
and especially i see this entry
2011-03-27 23:07:30 ERROR XMLTooling.CredentialResolver.File : key file
(/etc/shibboleth/sp-key.pem) can't be opened
2011-03-27 23:07:30 CRIT Shibboleth.Application : error building
CredentialResolver: FilesystemCredentialResolver can't access key file
(/etc/shibboleth/sp-key.pem)
do you think this may be in any way related to my issue?
Nate Klingenstein wrote:
>
> Rampage,
>
> The metadata file didn't come through successfully, but the error
> message is pretty clear. Either the metadata is expired(as you
> noticed), or the IdP's entityID doesn't match any entityID that is in
> the metadata. If the metadata was signed and you modified the
> expiration date, it will still fail to load.
>
> You'll see any failure to load the metadata successfully on startup of
> the SP.
>
> Take care,
> Nate.
>
> On Mar 27, 2011, at 19:04 , Rampage wrote:
>
> > Hello everyone,
> > i'm pretty new to shibboleth and i'm trying to use the SP to
> > implement a
> > single sign-on solution with a idP that is third party provided.
> >
> > yet i'm experiencing this issue, when a user tries to login, the
> > page is
> > redirected to the IdP page then back to my server but this error is
> > returned:
> >
> >
> > The identity provider supplying your login credentials is not
> > authorized for
> > use with this service or does not support the necessary capabilities.
> >
> > and in my shibd.log i find this error:
> >
> > 2011-03-27 19:45:41 WARN OpenSAML.MessageDecoder.SAML1 [3]: no
> > metadata
> > found, can't establish identity of issuer
> > (https://idpcrl.crs.lombardia.it//scauth)
> >
> > the authentication is supposed to happen using a smartcard
> > the metadata file and the attributes are provided by the idp and
> > also the
> > root CA certificates.
> >
> > what i've noticed is that the metadata file has this string:
> >
> > validUntil="2010-06-03T00:00:00Z">
> >
> > which is obviously expired.
> >
> > i've verified the validity of the root CA certificates and they
> > expire in
> > 2016
> > so i've tried modifying the validuntil parameter to the expiration
> > date of
> > the certificates, but this didn't solve my problem.
> >
> > for convenience here is the metadata file
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > MIIEkDCCA3igAwIBAgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJJVDEV
> > MBMGA1UEChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0
> > aWZpY2F6aW9uZTEdMBsGA1UEAxMUTElTSVQgQ0EgZGkgU2Vydml6aW8wHhcNMDQw
> > OTAyMTQ1OTQ4WhcNMTYwOTAyMTQ1ODA0WjBoMQswCQYDVQQGEwJJVDEVMBMGA1UE
> > ChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0aWZpY2F6
> > aW9uZTEdMBsGA1UEAxMUTElTSVQgQ0EgZGkgU2Vydml6aW8wggEiMA0GCSqGSIb3
> > DQEBAQUAA4IBDwAwggEKAoIBAQC/vb2Sb3EiCu7TQO26R+SUM7IHTREJMUMqy148
> > mcdEe9aZ9kY7M6ZtcZ4zsc3mGT13ZWB5OPQsL7+1yyK5/BnIen0imUlZzhYBbUqL
> > TkvOKyJYSORJlrKZ4Be6Sm1N99LxPr/G5ckkZq5H2yvFt8XBaQkUNNAJBksJbu7N
> > P7kWBRfbvicdr+2QCe4HjUiMLEUqHxq/X8d1whFBHRGltcfEfX76/LJpMwa1DUR8
> > rJfFD4bVKjIZFG9HugN9YAnYnzP2lVrEcuRecuySefirvSmEkWMAQVy+Xn/DwOr/
> > bdPsrJatqyyHusHlep6FPNVmfbboEF/3eqRnMbRrT0R8rOpBAgMBAAGjggFDMIIB
> > PzASBgNVHRMBAf8ECDAGAQH/AgEAMEcGA1UdIARAMD4wPAYJKwYBBAG8bhMCMC8w
> > LQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cubGlzaXQuaXQvZmlybWFkaWdpdGFsZTCB
> > sAYDVR0fBIGoMIGlMIGioIGfoIGchoGZbGRhcDovL2xkYXAuY3JzLmxvbWJhcmRp
> > YS5pdC9jbiUzZExJU0lUJTIwQ0ElMjBkaSUyMFNlcnZpemlvLG91JTNkU2Vydml6
> > aW8lMjBkaSUyMGNlcnRpZmljYXppb25lLG8lM2RMSVNJVCUyMFMucC5BLixjJTNk
> > SVQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlMA4GA1UdDwEB/wQEAwIB
> > BjAdBgNVHQ4EFgQUhM2xLxyr0IvPev7BvFewih0OhQswDQYJKoZIhvcNAQEFBQAD
> > ggEBAG+nIGrRPLttAA3tB9Hk5X3OfAjmFJPkd1Ggm2cXOTqEPsxB7gXxuVNtRCh8
> > z/D+83onq1Nx3YQNrbMqEdPgmkc5qGu5XFJewHuZanJJtjpFauHVovIuV+GcMzBP
> > l/iu268LBzb+9AWO/GxE8M7Ay0XfMWwjtStk6Xg/lDFO8TOBrMutpw8TUU2aC1Gb
> > XQmIaLoySfLQbo7kopT56GvPwt+45JzuumnK+ZZZd1euDWPcXhcgY3xsyvzHFM0b
> > vf9ON3HIEIJhowpePNewqbvT3KirS0dxMUQLkl7TacOKRomWbskBqFWOFzC9SRWj
> > b7vPkU0R5NsEsYRLyvekQS5+K9g=
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > MIIErjCCA5agAwIBAgIBATANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJJVDEV
> > MBMGA1UEChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0
> > aWZpY2F6aW9uZTEqMCgGA1UEAxMhTElTSVQgQ0EgU2Vydml6aW8gZGkgSW50ZWdy
> > YXppb25lMB4XDTA0MDMwMzA4NTEwMFoXDTE2MDMwMzA4NTAwOVowdTELMAkGA1UE
> > BhMCSVQxFTATBgNVBAoTDExJU0lUIFMucC5BLjEjMCEGA1UECxMaU2Vydml6aW8g
> > ZGkgY2VydGlmaWNhemlvbmUxKjAoBgNVBAMTIUxJU0lUIENBIFNlcnZpemlvIGRp
> > IEludGVncmF6aW9uZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUe
> > vtR0HPzpam1LeDvLbGQyD9eV/E0llmu7jJ1rsciXl5G/oLo44sDhr8sGxzjFFXrw
> > UeyCuqN0HPWne0wH3dmMZLMLOjqHM0XldARcE8LcPgu87VH7Uhn1/Y/ez5uLqVeq
> > 5Rho8YUI+hHX2Ak/3epgapgoVNDe5OwX3z1ThtnuJTz99BG3nJPhWM6GsrKXODte
> > H81f1YZ0ns5gNuLh8WqoMx53tORI+jb/mcjEG18FYXUEP0dx6Yki99eb5J5HNmwc
> > bfNYJ5PYve61ftFgS8MYyYBREa+Mwin4bsKnNhzOwLdhzAISNyCf1+DJUIrJGfEv
> > GAwk4kLGMP+hd93+Sb8CAwEAAaOCAUcwggFDMBIGA1UdEwEB/wQIMAYBAf8CAQAw
> > PAYDVR0gBDUwMzAxBgkrBgEEAbxuFQIwJDAiBggrBgEFBQcCARYWaHR0cDovL3d3
> > dy5saXNpdC5pdC9jYTCBvwYDVR0fBIG3MIG0MIGxoIGuoIGrhoGobGRhcDovL2xk
> > YXAuY3JzLmxvbWJhcmRpYS5pdC9jbiUzZExJU0lUJTIwQ0ElMjBTZXJ2aXppbyUy
> > MGRpJTIwSW50ZWdyYXppb25lLG91JTNkU2Vydml6aW8lMjBkaSUyMGNlcnRpZmlj
> > YXppb25lLG8lM2RMSVNJVCUyMFMucC5BLixjJTNkSVQ/Y2VydGlmaWNhdGVSZXZv
> > Y2F0aW9uTGlzdD9iYXNlMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzepn46KJ
> > 1CHPfbR0GKlov1FmmowwDQYJKoZIhvcNAQEFBQADggEBAANDWUaeNAz77HTC7dD/
> > Z3AV4fuLMmJlI3gZrCfwrz3RWYqIHFeKPQdU163Vjq5DuVMxU3A+NCySoCgtNmGo
> > uPE87+E4rY30TueHJ1FMpYLXBvHZCxFmcBQz/pIv/Sahs546mZBGfxPG+su81r8S
> > 3PWwpR+/B5QDg7Yr7ijLTS+f3jc3mwormgwtpOqoSNtRs6j+EyDlZEExZ4IMykMC
> > qvr0Bh4m68GThoVe4fcafbCGoSWssgFUJY0ny5EUkqpZKItgCUuiyVTIS2l3GbOZ
> > YrF7OW3iUHcfi4QP2J5BXiC+7eCt46Y6MICw+ffTuEmf62b5VjhkNdo3oHDgx2gi
> > eeU=
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Lisit S.p.A./ITSIDPCRL/
> > vl18833/18136
> >
> > CN=LISIT S.P.A./168637,OU=U.O.
> > Sviluppo,O=Altri Certificati,C=IT
> >
> >
> >
> > urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
> >
> >
> >
> >
> >
> >
> > any suggestions?
> >
> > thanks in advice.
> >
> > --
> > View this message in context:
> http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6212874.html
> > Sent from the Shibboleth - Users mailing list archive at Nabble.com.
>
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6213124.html
Nate Klingenstein
This looks okay, so either their IdP is probably different entityID
names for itself in the metadata and in their relying-party.xml
configuration. Check the entityID of the incoming assertion against
the EntityDescriptor entityID="https://name.here/idp" in the metadata.
Thanks,
Nate.
Nate Klingenstein
Rampage
i've posted it all.
yet just a question (couse maybe i'm an idiot and didn't figure it out) does the idp need to know me?
i mean my platform, do i need to notify the IdP management for some sort of subscription to their service before i can use it for my SSO ?
Nate Klingenstein
That depends on the IdP. An IdP can choose to be totally promiscuous
and send information to anyone, or it can choose to enforce strict
trust rules, or anything in between. The defaults in Shibboleth
enforce trust, but this is clearly not a Shibboleth IdP, so I have no
idea. Apparently they're willing to send you something, though you'd
have to turn up the logging to DEBUG(shibd.logger) to see exactly what.
Take care,
Nate.
Rampage
the debugging logs in the hope they'll tell me more :)
thank you very much for the help and time you spent in replying my requests
Rampage
understand if there were something wrong, but i can't get to it.. maybe you
can help me out.
thanks again
Nate Klingenstein wrote:
>
> Rampage,
>
> That depends on the IdP. An IdP can choose to be totally promiscuous
> and send information to anyone, or it can choose to enforce strict
> trust rules, or anything in between. The defaults in Shibboleth
> enforce trust, but this is clearly not a Shibboleth IdP, so I have no
> idea. Apparently they're willing to send you something, though you'd
> have to turn up the logging to DEBUG(shibd.logger) to see exactly what.
>
> Take care,
> Nate.
>
> On Mar 27, 2011, at 22:17 , Rampage wrote:
>
> > yet just a question (couse maybe i'm an idiot and didn't figure it
> > out) does the idp need to know me?
> > i mean my platform, do i need to notify the IdP management for some
> > sort of subscription to their service before i can use it for my SSO
> ?
>
> http://shibboleth.1660669.n2.nabble.com/file/n6214230/shibboleth_debug.log
> shibboleth_debug.log
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6214230.html
Masud Khokhar
Out of curiosity, how are you loading the metadata for the IdP in your SP?
Best wishes,
Masud
Rampage
i'm going to use for my SSO.
the only thing i've modified is the hostname and the identifier of my
application
i've attached to this mail the configuration file for shibboleth
http://shibboleth.1660669.n2.nabble.com/file/n6214720/shibboleth2.xml
shibboleth2.xml
Masud Khokhar wrote:
>
> Hi Rampage,
>
> Out of curiosity, how are you loading the metadata for the IdP in your SP?
>
> Best wishes,
> Masud
>
>
>
> On 28/03/11 10:43, Rampage wrote:
> > I've enabled the debug log and here is attached the result.. i've
> tried to
> > understand if there were something wrong, but i can't get to it..
> maybe you
> > can help me out.
> >
> > thanks again
> >
> >
> > Nate Klingenstein wrote:
> >> Rampage,
> >>
> >> That depends on the IdP. An IdP can choose to be totally
> promiscuous
> >> and send information to anyone, or it can choose to enforce
> strict
> >> trust rules, or anything in between. The defaults in Shibboleth
> >> enforce trust, but this is clearly not a Shibboleth IdP, so I
> have no
> >> idea. Apparently they're willing to send you something, though
> you'd
> >> have to turn up the logging to DEBUG(shibd.logger) to see exactly
> what.
> >>
> >> Take care,
> >> Nate.
> >>
> >> On Mar 27, 2011, at 22:17 , Rampage wrote:
> >>
> >> &gt; yet just a question (couse maybe i'm an idiot and didn't
> figure it
> >> &gt; out) does the idp need to know me?
> >> &gt; i mean my platform, do i need to notify the IdP
> management for some
> >> &gt; sort of subscription to their service before i can use
> it for my SSO
> >> ?
> >>
> >>
> http://shibboleth.1660669.n2.nabble.com/file/n6214230/shibboleth_debug.log
> >> shibboleth_debug.log
> > --
> > View this message in context:
> http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6214230.html
> > Sent from the Shibboleth - Users mailing list archive at Nabble.com.
>
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6214720.html
Masud Khokhar
Try explicitly loading the IdP metadata at the SP level. Download it,
save it in an xml file. Add this to your shibboleth2.xml file.
<MetadataProvider type="XML" file="/etc/shibboleth/idp-metadata.xml"/>
</MetadataProvider>
Restart shibd, and see if this changes anything.
Best,
Masud
Rampage
Masud Khokhar wrote:
>
> Hi Rampage,
>
> Try explicitly loading the IdP metadata at the SP level. Download it,
> save it in an xml file. Add this to your shibboleth2.xml file.
>
> <MetadataProvider type="XML"
> file="/etc/shibboleth/idp-metadata.xml"/>
>
> </MetadataProvider>
>
> Restart shibd, and see if this changes anything.
>
> Best,
> Masud
>
> On 28/03/11 13:29, Rampage wrote:
> > Most of the files were provided with the implementation tutorials of
> the IdP
> > i'm going to use for my SSO.
> >
> > the only thing i've modified is the hostname and the identifier of my
> > application
> >
> > i've attached to this mail the configuration file for shibboleth
> > http://shibboleth.1660669.n2.nabble.com/file/n6214720/shibboleth2.xml
> > shibboleth2.xml
> >
> >
> > Masud Khokhar wrote:
> >> Hi Rampage,
> >>
> >> Out of curiosity, how are you loading the metadata for the IdP in
> your SP?
> >>
> >> Best wishes,
> >> Masud
> >>
> >>
> >>
> >> On 28/03/11 10:43, Rampage wrote:
> >> &gt; I've enabled the debug log and here is attached the
> result.. i've
> >> tried to
> >> &gt; understand if there were something wrong, but i can't
> get to it..
> >> maybe you
> >> &gt; can help me out.
> >> &gt;
> >> &gt; thanks again
> >> &gt;
> >> &gt;
> >> &gt; Nate Klingenstein wrote:
> >> &gt;&gt; Rampage,
> >> &gt;&gt;
> >> &gt;&gt; That depends on the IdP. An IdP can choose to
> be totally
> >> promiscuous
> >> &gt;&gt; and send information to anyone, or it can choose
> to enforce
> >> strict
> >> &gt;&gt; trust rules, or anything in between. The
> defaults in Shibboleth
> >> &gt;&gt; enforce trust, but this is clearly not a
> Shibboleth IdP, so I
> >> have no
> >> &gt;&gt; idea. Apparently they're willing to send you
> something, though
> >> you'd
> >> &gt;&gt; have to turn up the logging to
> DEBUG(shibd.logger) to see exactly
> >> what.
> >> &gt;&gt;
> >> &gt;&gt; Take care,
> >> &gt;&gt; Nate.
> >> &gt;&gt;
> >> &gt;&gt; On Mar 27, 2011, at 22:17 , Rampage wrote:
> >> &gt;&gt;
> >> &gt;&gt;&amp;gt; yet just a question (couse maybe i'm
> an idiot and didn't
> >> figure it
> >> &gt;&gt;&amp;gt; out) does the idp need to know me?
> >> &gt;&gt;&amp;gt; i mean my platform, do i need to
> notify the IdP
> >> management for some
> >> &gt;&gt;&amp;gt; sort of subscription to their
> service before i can use
> >> it for my SSO
> >> &gt;&gt; ?
> >> &gt;&gt;
> >> &gt;&gt;
> >>
> http://shibboleth.1660669.n2.nabble.com/file/n6214230/shibboleth_debug.log
> >> &gt;&gt; shibboleth_debug.log
> >> &gt; --
> >> &gt; View this message in context:
> >>
> http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6214230.html
> >> &gt; Sent from the Shibboleth - Users mailing list archive at
> Nabble.com.
> >>
> > --
> > View this message in context:
> http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6214720.html
> > Sent from the Shibboleth - Users mailing list archive at Nabble.com.
>
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6214817.html
Cantor, Scott E.
>isn't it already specified in the applicationoverride?
You shouldn't be using an ApplicationOverride at this stage. That is
almost certainly causing your problem if you are.
-- Scott
Rampage
and use the default, but there are lots of parameters that i can't
understand and i don't think i'll be able to migrate, the file was provided
this way by the IdP, so i thought it was ok to use it with application
override.
i've tried to specify the metadata in the main application "pool"(?) and now
the error returned is that the content is signed but can't be verified
2011-03-28 15:25:25 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: extracting
issuer from SAML 1.x Response
2011-03-28 15:25:25 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: response from
(https://idpcrl.crs.lombardia.it//scauth)
2011-03-28 15:25:25 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: searching
metadata for response issuer...
2011-03-28 15:25:25 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]:
evaluating message flow policy (replay checking on, expiration 60)
2011-03-28 15:25:25 DEBUG XMLTooling.StorageService [1]: inserted record
(_0942bea23507ea591ba440fc3a2c752a) in context (MessageFlow)
2011-03-28 15:25:25 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]:
validating signature profile
2011-03-28 15:25:25 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate name
was not acceptable
2011-03-28 15:25:25 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable
to verify message signature with supplied trust engine
Cantor, Scott E. wrote:
>
> On 3/28/11 3:00 PM, "Rampage" <atomi...@email.it> wrote:
> >isn't it already specified in the applicationoverride?
>
> You shouldn't be using an ApplicationOverride at this stage. That is
> almost certainly causing your problem if you are.
>
> -- Scott
>
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6215016.html
Cantor, Scott E.
>i've tried to specify the metadata in the main application "pool"(?) and
>now
>the error returned is that the content is signed but can't be verified
Then the metadata is wrong, basically, it's not using the key indicated.
From the log it would appear they've screwed with the default TrustEngine
setup as well.
I think you should install the SP using its own default config and adjust
as needed by following our documentation. If you don't understand
something, ask.
-- Scott
Masud Khokhar
Firstly, whether this line in your shibboleth2.xml is actually pointing to the right certificate with the right path.
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
Secondly, this may or may not work, if you have IdP's certificate, you can try adding Metadata like this:
<MetadataProvider type="XML" file="/etc/shibboleth/idp-metadata.xml">
</MetadataProvider>
Best wishes,
Masud
Rampage
the filter parameter, only the rootCA certificates
Masud Khokhar wrote:
>
> Not sure about this one, but can you double check a few things?
>
> Firstly, whether this line in your shibboleth2.xml is actually pointing
> to the right certificate with the right path.
>
> <CredentialResolvertype="File"key="sp-key.pem"certificate="sp-cert.pem"/>
>
> Secondly, this may or may not work, if you have IdP's certificate, you
> can try adding Metadata like this:
>
> <MetadataProvider type="XML"
> file="/etc/shibboleth/idp-metadata.xml">
> <MetadataFilter type="Signature"
> certificate="idp-cert.pem"/>
> </MetadataProvider>
>
> Best wishes,
> Masud
>
>
> On 28/03/11 14:47, Rampage wrote:
> > I'm trying to edit the configuration file to remove the
> applicationoverride
> > and use the default, but there are lots of parameters that i can't
> > understand and i don't think i'll be able to migrate, the file was
> provided
> > this way by the IdP, so i thought it was ok to use it with
> application
> > override.
> >
> > i've tried to specify the metadata in the main application
> "pool"(?) and now
> > the error returned is that the content is signed but can't be
> verified
> >
> > 2011-03-28 15:25:25 DEBUG OpenSAML.MessageDecoder.SAML1 [1]:
> extracting
> > issuer from SAML 1.x Response
> > 2011-03-28 15:25:25 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: response
> from
> > (https://idpcrl.crs.lombardia.it//scauth)
> > 2011-03-28 15:25:25 DEBUG OpenSAML.MessageDecoder.SAML1 [1]:
> searching
> > metadata for response issuer...
> > 2011-03-28 15:25:25 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow
> [1]:
> > evaluating message flow policy (replay checking on, expiration 60)
> > 2011-03-28 15:25:25 DEBUG XMLTooling.StorageService [1]: inserted
> record
> > (_0942bea23507ea591ba440fc3a2c752a) in context (MessageFlow)
> > 2011-03-28 15:25:25 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]:
> > validating signature profile
> > 2011-03-28 15:25:25 ERROR XMLTooling.TrustEngine.PKIX [1]:
> certificate name
> > was not acceptable
> > 2011-03-28 15:25:25 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]:
> unable
> > to verify message signature with supplied trust engine
> >
> >
> > Cantor, Scott E. wrote:
> >> On 3/28/11 3:00
> PM,&quot;Rampage&quot;&lt;atomi...@email.it&gt; wrote:
> >> &gt;isn't it already specified in the applicationoverride?
> >>
> >> You shouldn't be using an ApplicationOverride at this stage. That
> is
> >> almost certainly causing your problem if you are.
> >>
> >> -- Scott
> >>
> > --
> > View this message in context:
> http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6215016.html
> > Sent from the Shibboleth - Users mailing list archive at Nabble.com.
>
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6215325.html
Cantor, Scott E.
>I don't have any certificate from the IdP so i don't have anything to use
>for
>the filter parameter, only the rootCA certificates
If you don't have a cert for the IdP in its metadata, then you'd have to
use a different trust model than Shibboleth is geared to. You have the
PKIX trust engine running, but you would need some advanced content in the
metadata to make things work, specifically a KeyName in the KeyInfo
matching the certificate its using, and a KeyAuthority extension at the
EntityDescriptor level documenting the root CA(s).
I suspect the best source of examples for this are some of the various
federation metadata files around.
-- Scott
Rampage
Lisit S.p.A./ITSIDPCRL/vl18833/18136
CN=LISIT S.P.A./168637,OU=U.O. Sviluppo,O=Altri Certificati,C=IT
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
this file, as said was provided by the IdP so i'm assuming it's correct.
Cantor, Scott E. wrote:
>
> On 3/28/11 5:01 PM, "Rampage" <atomi...@email.it> wrote:
> >I don't have any certificate from the IdP so i don't have anything to
> use
> >for
> >the filter parameter, only the rootCA certificates
>
> If you don't have a cert for the IdP in its metadata, then you'd have to
> use a different trust model than Shibboleth is geared to. You have the
> PKIX trust engine running, but you would need some advanced content in the
> metadata to make things work, specifically a KeyName in the KeyInfo
> matching the certificate its using, and a KeyAuthority extension at the
> EntityDescriptor level documenting the root CA(s).
>
> I suspect the best source of examples for this are some of the various
> federation metadata files around.
>
> -- Scott
>
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6215432.html
Rampage
> On 3/28/11 5:01 PM, "Rampage"<atomi...@email.it> wrote:
>> I don't have any certificate from the IdP so i don't have anything to use
>> for
>> the filter parameter, only the rootCA certificates
> If you don't have a cert for the IdP in its metadata, then you'd have to
> use a different trust model than Shibboleth is geared to. You have the
> PKIX trust engine running, but you would need some advanced content in the
> metadata to make things work, specifically a KeyName in the KeyInfo
> matching the certificate its using, and a KeyAuthority extension at the
> EntityDescriptor level documenting the root CA(s).
>
file, i suspect that the key names are wrong:
2011-03-30 13:47:50 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate
name was not acceptable
is there a way to obtain such information from the .crt files?
thanks in advice
Cantor, Scott E.
>Since i have the certificates, and i put the x509 into the metadata xml
>file, i suspect that the key names are wrong:
Putting the certificate into the metadata only works if you use the
ExplicitKey trust engine.
The relevant wiki topics:
- Metadata
- TrustManagement
- NativeSPTrustEngine
>2011-03-30 13:47:50 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate
>name was not acceptable
>
>is there a way to obtain such information from the .crt files?
Yes, openssl. You need to add the appropriate ds:KeyName AND add the
appropriate shib:KeyAuthority extension.
Or you can leave the certificate in there in the metadata, and simply fix
your trust engine set to include the default set.
-- Scott
Rampage
IMAP servers are screwed up.
as you suggest i would like to check if the certificate name and key name
are correct as the error returned is related to the signature.
and the error says
2011-03-30 13:47:50 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate name
was not acceptable
Is there a way by having the .crt files to obtain the key name? with openSSL
or such?
in my metadata the entry is like this:
Lisit S.p.A./ITSIDPCRL/vl18833/18136
and there are 2 of them i assume that's due to the fact that there are 2
x509 certificates.
if this name is wrong maybe something in the signature may screw up.
so i was planning to extract them from the certs to see if they were
correct.
also if you have some targeted example to suggest me to take a look at to
better understand how metadata and PKIX interoperate it would be really
helpful.
thanks in advice and sorry for bugging you so much :)
Cantor, Scott E. wrote:
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6222623.html
Cantor, Scott E.
>openSSL
>or such?
'man x509'.
>also if you have some targeted example to suggest me to take a look at to
>better understand how metadata and PKIX interoperate it would be really
>helpful.
I gave you one, I said to look at the various federation metadata files,
such as the UK federation's metadata, for examples of dealing with PKIX.
My strong advice is that you don't. Fix your config and use the default
trust engines, put the IdP's cert in the metadata, and demand that the IdP
provide a signed metadata file, with appropriate short term expiration, at
a URL you can maintain it from.
-- Scott
Rampage
provide are the root certificates for assertion verification and the
attributes template for mapping with shibboleth.
i've noticed tho, that the metadata file has something wrong.
becouse if i do
# openssl x509 -inform DER -in "Root Certificate LISIT CA di Servizio (CRS
reali).crt" -text | grep Issuer
i obtain:
Issuer: C=IT, O=LISIT S.p.A., OU=Servizio di certificazione,
CN=LISIT CA di Servizio
while the parameter in the metadata file is:
CN=LISIT S.P.A./168637,OU=U.O. Sviluppo,O=Altri Certificati,C=IT
which is definitely different from the one contained in the crt file.
the problem is that even if i replace that string with
CN=LISIT CA di Servizio,OU=Servizio di certificazione,O=LISIT S.p.A., C=IT
i still get the signature error.
am i doing it wrong? some syntax error around? (maybe?)
thanks again.. i'm tedious i know :(
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6224251.html
Cantor, Scott E.
The complete set of links you need that describe the use of metadata with
PKIX are here:
https://spaces.internet2.edu/display/SHIB2/TrustManagement
You need to embed the certificate authority into a KeyAuthority extension
and add a KeyName containing the certificate subject the IdP will use. If
the IdP won't guarantee what that is, then they can't be made to work with
Shibboleth. You can't simply authorize all certificates issued by a CA for
an IdP.
-- Scott
Rampage
i have a first block with the keyauthority, containing the x509 certificates
of the CA
and a second block with the entitydescriptor and keydescriptor keyinfo and
keyname.
since i'm worried that the keynames are wrong i was wondering if there was a
way to verify them end eventually correct them.
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6224527.html
Cantor, Scott E.
>was a
>way to verify them end eventually correct them.
You would need to look at the IdP's certificate and see what the name is.
You should not put DNs into the metadata, you should use only the CN or
subjectAltName. Matching on the DN is very brittle.
-- Scott
Rampage
as they don't provide you with any certificate, but only with CA root certs.
to use the CN i should do something like
CN=CN=LISIT CA di Servizio
?
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6224595.html
Cantor, Scott E.
>For which (the IdP certificate) i suppose i have to ask to the IdP
>management
>as they don't provide you with any certificate, but only with CA root
>certs.
Or you can just get it from the logs on DEBUG, or from the browser as it
posts the form.
Here's the thing: if they don't commit to maintaining that key name or
informing you when it changes, you're just going to break later.
This is what metadata is for. If you have to create the metadata, you're
not in an operationally sustainable situation.
-- Scott
Rampage
that looks like a common name for the certificate :(
Cantor, Scott E. wrote:
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6225286.html
Cantor, Scott E.
>I'm analizing the response from the server, but i can't seem to find
>anything
>that looks like a common name for the certificate :(
If there's a certificate, which there should be, there's a name inside it.
-- Scott
Rampage
didn't help :)
it was in base64 format, i've extracted the common name and as expected it
was different, now i'll play some tests and let you know, as of now i don't
have a smart card reader here to verify, i can't wait to see if it fixed the
issue \o/
I'll let you know if it works, as it's all thanks to you if it does :)
Cantor, Scott E. wrote:
>
> On 3/31/11 1:00 AM, "Rampage" <atomi...@email.it> wrote:
>
>>I'm analizing the response from the server, but i can't seem to find
>>anything
>>that looks like a common name for the certificate :(
>
> If there's a certificate, which there should be, there's a name inside it.
>
> -- Scott
>
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6226230.html
Rampage
the CN for the certificate provided by the IdP in the metadata file was
incorrect. i replaced it with the correct one and now it works like a charm.
Wonderfull :)
thank you very much!
Cantor, Scott E. wrote:
>
> On 3/31/11 1:00 AM, "Rampage" <atomi...@email.it> wrote:
>
>>I'm analizing the response from the server, but i can't seem to find
>>anything
>>that looks like a common name for the certificate :(
>
> If there's a certificate, which there should be, there's a name inside it.
>
> -- Scott
>
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6226978.html