Signing/validating: No private key found in metadata

[jharf...@toonboom.com]

What are you trying to do?

I have a functioning federation with a hosted IdP and I'm trying to get the SP (same domain) and IdP to sign and validate the messages. Signing alone works, but when I try to configure validation, the SP fails after logout with the message SimpleSAML_Error_Exception: No private key found in metadata

I'm not sure why a private key would need to be in the metadata as it's private, nor how to fix this. 

What have you done?

- I've tried adding a 'privatekey' field in authsources.php on the SP side but then the IdP fails with "Missing certificate in metadata for <idp_url>" (IdP)

- Adding 'signature.privatekey' in the sp-remote metadata on the IdP, No private key found in metadata   (SP)

- Adding 'signature.privatekey' in the idp-remote metadata on the SP, Missing certificate in metadata for <idp_url>  (IdP)

idp-hosted.php

'privatekey' => 'xxx.key',

'certificate' => 'xxx.crt',

'auth' => 'sql',

'sign.authnrequest' => true,

'sign.logout' => true,

'redirect.sign' => true,

'redirect.validate' => true,

'validate.authnrequest' => true,

'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',

sp-remote.php

  'SingleLogoutService' =>

  array (    ...   ),

  'AssertionConsumerService' =>

  array (    ...   ),

  'certData' => 'xxx',

idp-remote.php

  'entityid' => 'xxx',

  'SingleSignOnService' =>  array ( ... ),

  'SingleLogoutService' => array ( ... ),

  'certData' => 'xxx'

  'sign.authnrequest' => true,

  'redirect.sign' => true,

  'signature.privatekey' => 'xxx.key',

[Peter Schober]

* jharf...@toonboom.com <jharf...@toonboom.com> [2018-02-09 18:26]:

> I have a functioning federation with a hosted IdP and I'm trying to get the
> SP (same domain) and IdP to sign and validate the messages. Signing alone
> works, but when I try to configure validation, the SP fails after logout
> with the message SimpleSAML_Error_Exception: No private key found in
> metadata

I can't explain the error message without looking at the code, but
guessing and adding all kinds of made-up parameters to all kinds of
config files (as I understand you wwere doing to "fix" this) is not
going to help.

Signing & validation of signatures and encrypting & decrypting all
works out of the box in SSP as soon as the parties have suitable key
material (yes, only public keys wrapped in X.509 certificates for
[in]convenience) available in their metadata (and the correct metadata
is available to the other parties).

There is no extra configuration required to "enable validation of
signatures", and there shouldn't be such a configuration, of course.

You have idp-hosted, sp-remote and idp-remote all on the samle
SimpleSAMLphp instance? For sanity I'd personally separate those out
completely (if needed only their configuration root directories using
the environment variable method mentioned in the documentation). Also
the documentation states that you'll need to use different vhosts in
order to have an IDP and SP on the same machine, AFAIR.

So whatever is happening is environmential and specific to your
deployment.

-peter

[jharf...@toonboom.com]

No they're not, the IdP and SP are different machines and both of their configurations have a certData entry as you can see with their own certificates. The config parameters I added were not made up, they're from the documentation for SP and IdP

Now what exactly does "No private key found in metadata" mean when I already have a certData in the config? Why does a private key even need to be in the metadata?

[Tom Scavo]

On Fri, Feb 9, 2018 at 1:10 PM, <jharf...@toonboom.com> wrote:
>
> Now what exactly does "No private key found in metadata" mean when I already
> have a certData in the config?

Clearly there's a bug somewhere.

> Why does a private key even need to be in the metadata?

There are no private keys in metadata...not ever.

Tom

[Jaime Perez Crespo]

Hi,

On 9 Feb 2018, at 20:25 PM, Tom Scavo <trs...@gmail.com> wrote:
> On Fri, Feb 9, 2018 at 1:10 PM, <jharf...@toonboom.com> wrote:
>>
>> Now what exactly does "No private key found in metadata" mean when I already
>> have a certData in the config?
>
> Clearly there's a bug somewhere.

No, there’s not.

>> Why does a private key even need to be in the metadata?
>
> There are no private keys in metadata...not ever.

In SimpleSAMLphp, the PHP configuration files under the “metadata” directory, including a variable called “$metadata” with an array of all the configuration options, is also called metadata.

Hosted IdPs are configured in the “metadata/saml20-idp-hosted.php” file (or "hosted metadata”, using the documentation’s terminology (1)). Obviously, if you want to sign your messages, you *need* to specify a private key to use for that, and that’s indeed the “privatekey” configuration option in the SAML 2.0 IdP hosted “metadata”.

(1) https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted

—
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[jharf...@toonboom.com]

Thanks Jaime

I do have a 'privatekey' entry in my idp-hosted metadata, the file exists and is not passphrase protected. 

If I don't set  'redirect.validate' and  'validate.authnrequest' to true, I can see the Idp signing the messages back to the sp ( i have a saml debugging tool) so it is able to sign the messages, only when I enable validation that the sp complains about no private key.

[jharf...@toonboom.com]

I was just trying something out and if I keep only 'validate.authnrequest' to true and remove 'redirect.validate' (IdP hosted config) everything works ok, it's only when I add 'redirect.validate' => true that it breaks on the SP side. 

Is there an other variable I should be setting when using  'redirect.validate'  ?