UK-AMF integration Missing Certificate error

68 views
Skip to first unread message

Kristy

unread,
Mar 11, 2011, 10:43:34 AM3/11/11
to simpleSAMLphp, g...@kent.ac.uk
Hello,

I'm trying to integrate UK-AMF IdPs into a single sign on system. I
used the metarefresh.php module to generate metadata from the
federations xml file. After loading the IdPs metadata into the saml20-
idp-remote.php I can select them from the drop down list and query
them successfully, however, when the responses are returned they
cannot be accessed because the following error is displayed.

Missing certificate in metadata for 'https://issrg-
identity.cs.kent.ac.uk/shibboleth'
0: /var/simplesamlphp/modules/saml2/lib/Message.php:161
(sspmod_saml2_Message::checkSign)
1: /var/simplesamlphp/modules/saml2/lib/Message.php:710
(sspmod_saml2_Message::processResponse)
2: /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:50 (require)
3: /var/simplesamlphp/www/module.php:135 (N/A)

I have verified that the SP certificates match those in the federation
metadata and that a key entry is present in the metadata entry. I have
also turned off all encryption and signing at the IdP with the same
error.

Please could you advise of the next steps.

Many thanks,
Kristy

Dyonisius Visser

unread,
Mar 14, 2011, 12:52:26 PM3/14/11
to simple...@googlegroups.com, Kristy, g...@kent.ac.uk

Hi Kristy
It works here, my metarefresh entry for uk fed goes like this:


'ukfederation' => array(
'cron' => array('daily'),
'sources' => array(
array(
'src' =>
'http://metadata.ukfederation.org.uk/ukfederation-metadata.xml',
# 'validateFingerprint' =>
'D0:E8:40:25:F0:B1:2A:CC:74:22:ED:C3:87:04:BC:29:BB:7B:9A:40',
'template' => array(
'tags' => array('all', 'ukfederation'),
'authproc' => array(
51 => array('class' =>
'core:AttributeMap', 'oid2name'),
),
'redirect.sign' => FALSE,
),
),
),
'expireAfter' => 60*60*24*4,
'outputDir' => 'metadata/metarefresh/ukfederation',
'outputFormat' => 'flatfile',
),


I think the 'redirect.sign' => FALSE entry could do the trick?

--
Dyonisius Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
T +31 20 530 44 88 F +31 20 530 44 99
vis...@terena.org | www.terena.org

Olav Morken

unread,
Mar 15, 2011, 6:32:01 AM3/15/11
to simple...@googlegroups.com, g...@kent.ac.uk
On Fri, Mar 11, 2011 at 07:43:34 -0800, Kristy wrote:
> Hello,
>
> I'm trying to integrate UK-AMF IdPs into a single sign on system. I
> used the metarefresh.php module to generate metadata from the
> federations xml file. After loading the IdPs metadata into the saml20-
> idp-remote.php I can select them from the drop down list and query
> them successfully, however, when the responses are returned they
> cannot be accessed because the following error is displayed.
>
> Missing certificate in metadata for 'https://issrg-
> identity.cs.kent.ac.uk/shibboleth'
> 0: /var/simplesamlphp/modules/saml2/lib/Message.php:161
> (sspmod_saml2_Message::checkSign)
> 1: /var/simplesamlphp/modules/saml2/lib/Message.php:710
> (sspmod_saml2_Message::processResponse)
> 2: /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:50 (require)
> 3: /var/simplesamlphp/www/module.php:135 (N/A)
>
> I have verified that the SP certificates match those in the federation
> metadata and that a key entry is present in the metadata entry.

The issue here is the IdP certficate - we are unable to locate it in
the metadata.

> I have
> also turned off all encryption and signing at the IdP with the same
> error.

simpleSAMlphp will never accept unsigned authentication responses, so
turning off signing on the IdP will still fail.


I looked at the metadata for that IdP in the federation metadata, and
I see that you have:

<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>issrg-identity.cs.kent.ac.uk</ds:KeyName>
</ds:KeyInfo>
</KeyDescriptor>

I assume that this means that you are using CA path validation for
your IdP's certificate, which is poorly supported by simpleSAMLphp. If
you in addition to having the <ds:KeyName>-element in your metadata
also include the certificate (like many of other IDPs in the federation
does), it should work.

Regards,
Olav Morken
UNINETT / Feide

Kristy

unread,
Mar 17, 2011, 11:21:51 AM3/17/11
to simpleSAMLphp
Thank you everyone for your advice, it turned out that there was
something wrong with the metadata I had generated, I configured the
metarefresh module to generate the UK-AMF metadata using cron and it
fixed the problem.

Now I have encountered another issue, I want to use the UK-AMF WAYF
service as the discovery service for my system, but when I specify it
in disco.url in the authsources.php file I get the following error:

WAYF failure at (/DS001/uk.ds)

Couldn't find endpoint https://l4l-idp-01.kent.ac.uk/simplesaml/module.php/saml/sp/discoresp.php
in metadata

Does this mean I need to change the metadata for my SP that is
registered with the UK-AMF?

Many thanks,

Kristy Siu

Olav Morken

unread,
Mar 18, 2011, 7:35:00 AM3/18/11
to simple...@googlegroups.com

It appears that the discovery service requires all SPs to have the URL
to the discovery service response URL in their metadata. You could try
adding the URL to an <idpdisc:DiscoveryResponse>-element in your SP
metadata an Extensions-element in your metadata. Something like:

<SPSSODescriptor [...]
<Extensions>
<idpdisc:DiscoveryResponse
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://l4l-idp-01.kent.ac.uk/simplesaml/module.php/saml/sp/discoresp.php"
index="1"
/>
</Extensions>
[...]

(This isn't supported by simpleSAMLphp directly, so you will need to
edit your metadata manually before submitting it.)

Reply all
Reply to author
Forward
0 new messages