[Shib-Users] Inbound AuthnRequest was required to be signed but was not

Eugene Dvorkin

unread,

Jul 8, 2010, 10:19:18 AM7/8/10

to shibbole...@internet2.edu

I have a problem communication between SP and IdpI installed. My SP is a java SAML 2 servlet (Spring Security SAML Module) and Idp installed on a linux server.

When I connect to my SP to establish Shibboleth session it redirect me toIDP but I got Error Message “Message did not meet security requirements”.

I think something is misconfigured but I can’t figure out is it on SP or Idp side. Can anybody give me a hint?

Certificates? Keys?

10:00:01.133 - INFO [Shibboleth-Access:73] - 20100708T140001Z|192.168.11.61|idp.dev.artstor.org:443|/profile/SAML2/Redirect/SSO|

10:00:01.175 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO

10:00:01.176 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler

10:00:01.177 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:142] - Incoming request does not contain a login context, processing as first leg of request

10:00:01.180 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:280] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

10:00:01.326 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:126] - Looking up relying party configuration for http://sp.dev.artstor.org:8080/artstor

10:00:01.327 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:132] - No custom relying party configuration found for http://sp.dev.artstor.org:8080/artstor, looking up configuration based on metadata groups.

10:00:01.327 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:155] - No custom or group-based relying party configuration found for http://sp.dev.artstor.org:8080/artstor. Using default relying party configuration.

10:00:01.334 - ERROR [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:86] - SPSSODescriptor for entity ID 'http://sp.dev.artstor.org:8080/artstor' indicates AuthnRequests must be signed, but inbound message was not signed

10:00:01.349 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:316] - Message did not meet security requirements

org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest was required to be signed but was not

at org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule.evaluate(SAML2AuthnRequestsSignedRule.java:88) [opensaml-2.3.1.jar:na]

at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:50) [openws-1.3.0.jar:na]

at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:110) [openws-1.3.0.jar:na]

at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) [openws-1.3.0.jar:na]

at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:69) [opensaml-2.3.1.jar:na]

at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:300) [shibboleth-identityprovider-2.1.5.jar:na]

at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:166) [shibboleth-identityprovider-2.1.5.jar:na]

at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:143) [shibboleth-identityprovider-2.1.5.jar:na]

at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:1) [shibboleth-identityprovider-2.1.5.jar:na]

at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.1.4.jar:na]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.26]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.26]

at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77) [shibboleth-identityprovider-2.1.5.jar:na]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.26]

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.26]

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.26]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.26]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.26]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.26]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.26]

at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:6.0.26]

at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:6.0.26]

at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote.jar:6.0.26]

at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote.jar:6.0.26]

at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote.jar:6.0.26]

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.26]

at java.lang.Thread.run(Thread.java:619) [na:1.6.0_20]

~

Peter Schober

unread,

Jul 8, 2010, 10:32:00 AM7/8/10

to shibbole...@internet2.edu

* Eugene Dvorkin <Eugene....@artstor.org> [2010-07-08 16:20]:

> I have a problem communication between SP and IdpI installed. My SP is a
> java SAML 2 servlet (Spring Security SAML Module) and Idp installed on
> a linux server.

[...]

> org.opensaml.ws.security.SecurityPolicyException: Inbound
> AuthnRequest was required to be signed but was not

What does the SP's metadata say?
-peter

Eugene Dvorkin

unread,

Jul 8, 2010, 10:59:14 AM7/8/10

to shibbole...@internet2.edu

My SP Metadata and IDP metadata as follow:
Is that what you asking?

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://sp.dev.artstor.org:8080/artstor">
<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>

<ds:X509Certificate>MIID1DCCArygAwIBAgIQXF+9Fo0vyDnZoUt4pmIoUjANBgkqhkiG
9w0BAQUFADCBrTELMAkGA1UE
BhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2
aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRlc3QgUHVycG9zZXMgT25seS4gIE5vIGFz
c3Vy
YW5jZXMuMSswKQYDVQQDEyJ0aGF3dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBSb290IENBMB4X
DTEw
MDYxNzAwMDAwMFoXDTEwMDcwODIzNTk1OVowga8xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhO
ZXcg
WW9yazERMA8GA1UEBxQITmV3IFlvcmsxFDASBgNVBAoUC0FydHN0b3IgSW5jMRQwEgYDVQQL
FAtE
ZXZlbG9wbWVudDEwMC4GA1UECxQnRm9yIFRlc3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3Vy
YW5j
ZXMuMRwwGgYDVQQDFBNpZHAuZGV2LmFydHN0b3Iub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCB
iQKBgQCgKic4P2Y5Vrsa7KlgICfnazrNtUWZqANeBhH8IjlVKAgEh7Dr7TpUWVMFhmXXuS0T
FjgZ
aHc5wpo2szeb4k0KEd+PUxQmOMqWm951XHAFzgm0Gotj82fU30MIAxanJMCRnPG0vyp+n7PF
L8go
pFExWZDIx9AZzshDlRPAw8tGYwIDAQABo3AwbjAMBgNVHRMBAf8EAjAAMD8GA1UdHwQ4MDYw
NKAy
oDCGLmh0dHA6Ly9jcmwudGhhd3RlLmNvbS90aGF3dGVUcmlhbFNTTFJvb3RDQS5jcmwwHQYD
VR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBQUesYltr/Yi7J
F4eQ
rbIhH4LCseIfYMzQ23PraYwO0Dg5SltWA4j3/qRmpyfzXjuqSJk9qfgZRv6OtwdVecVIJfVe
3rIo
4M1RkMuuiQqeZ+rx0EXledr4HfS6Um0fcz5c2FmF+E9Ck0SYDeatBmcwqABpfMn8jn7eX1fO
kAnN
DCIS4SDrEY4rnww9WQGXUgOP6Xnit6nu7qTj4nHb2B97JwLGUAUlYHy6OXaawvGX6X307Nnb
LZE+
hs2KMSpC3DEFUs3EPnDhd+rWnBQ/25zrtzO70DLPF4WJtC2I+EoCo8QjPIIZxvEakzuikXcD
s4st
Ow2JUguP1vyizsv/tUYw</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>

<ds:X509Certificate>MIID1DCCArygAwIBAgIQXF+9Fo0vyDnZoUt4pmIoUjANBgkqhkiG
9w0BAQUFADCBrTELMAkGA1UE
BhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2
aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRlc3QgUHVycG9zZXMgT25seS4gIE5vIGFz
c3Vy
YW5jZXMuMSswKQYDVQQDEyJ0aGF3dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBSb290IENBMB4X
DTEw
MDYxNzAwMDAwMFoXDTEwMDcwODIzNTk1OVowga8xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhO
ZXcg
WW9yazERMA8GA1UEBxQITmV3IFlvcmsxFDASBgNVBAoUC0FydHN0b3IgSW5jMRQwEgYDVQQL
FAtE
ZXZlbG9wbWVudDEwMC4GA1UECxQnRm9yIFRlc3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3Vy
YW5j
ZXMuMRwwGgYDVQQDFBNpZHAuZGV2LmFydHN0b3Iub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCB
iQKBgQCgKic4P2Y5Vrsa7KlgICfnazrNtUWZqANeBhH8IjlVKAgEh7Dr7TpUWVMFhmXXuS0T
FjgZ
aHc5wpo2szeb4k0KEd+PUxQmOMqWm951XHAFzgm0Gotj82fU30MIAxanJMCRnPG0vyp+n7PF
L8go
pFExWZDIx9AZzshDlRPAw8tGYwIDAQABo3AwbjAMBgNVHRMBAf8EAjAAMD8GA1UdHwQ4MDYw
NKAy
oDCGLmh0dHA6Ly9jcmwudGhhd3RlLmNvbS90aGF3dGVUcmlhbFNTTFJvb3RDQS5jcmwwHQYD
VR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBQUesYltr/Yi7J
F4eQ
rbIhH4LCseIfYMzQ23PraYwO0Dg5SltWA4j3/qRmpyfzXjuqSJk9qfgZRv6OtwdVecVIJfVe
3rIo
4M1RkMuuiQqeZ+rx0EXledr4HfS6Um0fcz5c2FmF+E9Ck0SYDeatBmcwqABpfMn8jn7eX1fO
kAnN
DCIS4SDrEY4rnww9WQGXUgOP6Xnit6nu7qTj4nHb2B97JwLGUAUlYHy6OXaawvGX6X307Nnb
LZE+
hs2KMSpC3DEFUs3EPnDhd+rWnBQ/25zrtzO70DLPF4WJtC2I+EoCo8QjPIIZxvEakzuikXcD
s4st
Ow2JUguP1vyizsv/tUYw</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress<
/md:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md
:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</m
d:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</
md:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectNa
me</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://sp.dev.artstor.org:8080/artstor/saml/SSO" index="0"
isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

My IDP metadata are:
<EntityDescriptor entityID="https://idp.dev.artstor.org/idp/shibboleth"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<Extensions>
<shibmd:Scope regexp="false">artstor.org</shibmd:Scope>
</Extensions>

<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDOzCCAiOgAwIBAgIUV7tA+zVDfXmyLRjF9zYqQy4XkF8wDQYJKoZIhvcNAQEF
BQAwHzEdMBsGA1UEAxMUaWRwLnRlc3QuYXJ0c3Rvci5vcmcwHhcNMTAwNjE0MTYx
ODQzWhcNMzAwNjE0MTYxODQzWjAfMR0wGwYDVQQDExRpZHAudGVzdC5hcnRzdG9y
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIAah9x9L/E9+Y07
B+wM6jOLXZtHWtqindFdxQvyCD88VWfSiToBIJjjMHVrn3+pz36Cu69vfl+JgcYk
7djWXQo0A3ThHGDPNBNGwbvtTj7cetoM+AWviGMmAuBIbsM8jc2yVyFJCrU6t0E8
TqqDZdRGaGIAG9+97YJU+Ly6gqrUgfysoU2+j8NLvPsPhkQ7RpzqvcgBdRZykFVU
8ixDsPXHOA0qsnP9ZIOZhSJIF05bWKAZfbHU7QJl5BXq1PkLejnbB2hhxlfexv4q
T3r6cK8upFhj3DnHxKpqNIDwA1mBrnwEfQHy7aORKKDSdLY9GIoAKSy0fd3Iwzoz
MZRj548CAwEAAaNvMG0wTAYDVR0RBEUwQ4IUaWRwLnRlc3QuYXJ0c3Rvci5vcmeG
K2h0dHBzOi8vaWRwLnRlc3QuYXJ0c3Rvci5vcmcvaWRwL3NoaWJib2xldGgwHQYD
VR0OBBYEFF6SSCw1NtdGimo17vZqNgucGLdOMA0GCSqGSIb3DQEBBQUAA4IBAQB2
k75JuLOLTr0es8HfFR6uv3SWEiyGJRONTRs5ullJPl3bCiG8fFFrODy6mPV6tnk9
2S5utAQPLV6KEUs7FHnnNj2fpL4IFN6xuPIiwA4f5IOEhep93iGOJ+oveXf0Zu5E
NuaxdF9wZ27NCfvaH005wSkvZoRn/D0icqBpJr5bjlkRd6kk6TxuJDjFZqT5OeAw
SsuGTlouQpD3ELgzkeEfsGiDHz0omkeG9LLIYcA1vt2Myud/2OjfzrpQY7/Eut9F
DutRiimEgPnzsgxRKeqwL/SsYV/31LBNem8Nz+X+zoNF3Bzk/xPLzlFowcaVS6G4
YgiYj/teMR1jvrlUtVuo

</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>

<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"

Location="https://idp.dev.artstor.org/idp/profile/SAML1/SOAP/ArtifactRes
olution"
index="1"/>

<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"

Location="https://idp.dev.artstor.org/idp/profile/SAML2/SOAP/ArtifactRes
olution"
index="2"/>

<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameI
DFormat>

<Extensions>
<shibmd:Scope regexp="false">artstor.org</shibmd:Scope>
</Extensions>

<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDOzCCAiOgAwIBAgIUV7tA+zVDfXmyLRjF9zYqQy4XkF8wDQYJKoZIhvcNAQEF
BQAwHzEdMBsGA1UEAxMUaWRwLnRlc3QuYXJ0c3Rvci5vcmcwHhcNMTAwNjE0MTYx
ODQzWhcNMzAwNjE0MTYxODQzWjAfMR0wGwYDVQQDExRpZHAudGVzdC5hcnRzdG9y
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIAah9x9L/E9+Y07
B+wM6jOLXZtHWtqindFdxQvyCD88VWfSiToBIJjjMHVrn3+pz36Cu69vfl+JgcYk
7djWXQo0A3ThHGDPNBNGwbvtTj7cetoM+AWviGMmAuBIbsM8jc2yVyFJCrU6t0E8
TqqDZdRGaGIAG9+97YJU+Ly6gqrUgfysoU2+j8NLvPsPhkQ7RpzqvcgBdRZykFVU
8ixDsPXHOA0qsnP9ZIOZhSJIF05bWKAZfbHU7QJl5BXq1PkLejnbB2hhxlfexv4q
T3r6cK8upFhj3DnHxKpqNIDwA1mBrnwEfQHy7aORKKDSdLY9GIoAKSy0fd3Iwzoz
MZRj548CAwEAAaNvMG0wTAYDVR0RBEUwQ4IUaWRwLnRlc3QuYXJ0c3Rvci5vcmeG
K2h0dHBzOi8vaWRwLnRlc3QuYXJ0c3Rvci5vcmcvaWRwL3NoaWJib2xldGgwHQYD
VR0OBBYEFF6SSCw1NtdGimo17vZqNgucGLdOMA0GCSqGSIb3DQEBBQUAA4IBAQB2
k75JuLOLTr0es8HfFR6uv3SWEiyGJRONTRs5ullJPl3bCiG8fFFrODy6mPV6tnk9
2S5utAQPLV6KEUs7FHnnNj2fpL4IFN6xuPIiwA4f5IOEhep93iGOJ+oveXf0Zu5E
NuaxdF9wZ27NCfvaH005wSkvZoRn/D0icqBpJr5bjlkRd6kk6TxuJDjFZqT5OeAw
SsuGTlouQpD3ELgzkeEfsGiDHz0omkeG9LLIYcA1vt2Myud/2OjfzrpQY7/Eut9F
DutRiimEgPnzsgxRKeqwL/SsYV/31LBNem8Nz+X+zoNF3Bzk/xPLzlFowcaVS6G4
YgiYj/teMR1jvrlUtVuo

</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>

<AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"

Location="https://idp.dev.artstor.org/idp/profile/SAML1/SOAP/AttributeQu
ery" />

<AttributeService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"

Location="https://idp.dev.artstor.org/idp/profile/SAML2/SOAP/AttributeQu
ery" />

<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameI
DFormat>

</AttributeAuthorityDescriptor>

</EntityDescriptor>

Peter Schober

unread,

Jul 8, 2010, 11:06:07 AM7/8/10

to shibbole...@internet2.edu

* Peter Schober <peter....@univie.ac.at> [2010-07-08 16:32]:

> What does the SP's metadata say?

* Eugene Dvorkin <Eugene....@artstor.org> [2010-07-08 17:00]:

> My SP Metadata and IDP metadata as follow:
> Is that what you asking?

> <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> entityID="http://sp.dev.artstor.org:8080/artstor">
> <md:SPSSODescriptor AuthnRequestsSigned="true"

Does AuthnRequestsSigned="true" ring a bell?
(SAML V2.0 Metadata, p.18)
Not sure if the IdP honors this, but that's what I'd look into.
-peter

Eugene Dvorkin

unread,

Jul 8, 2010, 12:03:02 PM7/8/10

to shibbole...@internet2.edu

Thank you Peter. That helps. Changing to AuthnRequestsSigned="false"
let me pass this point.

-----Original Message-----
From: shibboleth-u...@internet2.edu
[mailto:shibboleth-u...@internet2.edu] On Behalf Of Peter
Schober
Sent: Thursday, July 08, 2010 11:06 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] Inbound AuthnRequest was required to be signed
but was not

Reply all

Reply to author

Forward