I am connecting to eIDAS/idensys through a mandatory dutch broker. On my side (SP) i want to use simplesaml. I trigger authentication and see the authn request send to the IDP. I get the eidas (remote IDP) login screen and can login at the IDP. But when redirected back to my SP I get an decryption error. The specific error from the logs:
)
more logs:
Aug 16 18:25:12 simplesamlphp DEBUG [c8e6bc166f] <saml:Issuer>urn:etoegang:DV:00000003141286080000:entities:9001</saml:Issuer>
Aug 16 18:25:12 simplesamlphp DEBUG [c8e6bc166f] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
Aug 16 18:25:12 simplesamlphp DEBUG [c8e6bc166f] </samlp:AuthnRequest>
)
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Loading state: '_ef028a7f9abcdd28bb144dd9704b9c2e8c43c33677'
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Received SAML2 Response from 'urn:etoegang:HM:00000003271247010000:entities:9511'.
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Has 3 candidate keys for validation.
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Message validated based on SSL certificate.array (
)
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Validation with key #0 succeeded.
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Has 3 candidate keys for validation.
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Validation with key #0 failed with exception: Unable to validate Signature
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Validation with key #1 failed with exception: Unable to validate Signature
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Validation with key #2 succeeded.
)
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Decryption with key #0 failed with exception: Failed to decrypt XML element.
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] Backtrace:
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] 1 /var/simplesamlphp-1.15.3/www/_include.php:45 (SimpleSAML_exception_handler)
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] 0 [builtin] (N/A)
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] Caused by: Exception: Failed to decrypt XML element.
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] Backtrace:
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] 5 /var/simplesamlphp-1.15.3/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:568 (SAML2\Utils::decryptElement)
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] 4 /var/simplesamlphp-1.15.3/vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:811 (SAML2\Assertion::decryptNameId)
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] 3 /var/simplesamlphp-1.15.3/modules/saml/lib/Message.php:803 (sspmod_saml_Message::processAssertion)
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] 2 /var/simplesamlphp-1.15.3/modules/saml/lib/Message.php:579 (sspmod_saml_Message::processResponse)
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] 1 /var/simplesamlphp-1.15.3/modules/saml/www/sp/saml2-acs.php:129 (require)
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] 0 /var/simplesamlphp-1.15.3/www/module.php:135 (N/A)
Aug 16 18:25:32 simplesamlphp ERROR [c8e6bc166f] Error report with id 2f8c2b1d generated.
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Localization: using old system
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Template: Reading [/var/simplesamlphp-1.15.3/dictionaries/errors]
)
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] Sending message:
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <soap-env:Header/>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <soap-env:Body>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_bb411a925d8681a8dda676fce24767244f630eede4" Version="2.0" IssueInstant="2018-08-16T18:25:32Z" Destination="https://broker.nl/brk/ws/SamlArtifact"> Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <saml:Issuer>urn:etoegang:DV:00000003141286080000:entities:9001</saml:Issuer>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <ds:SignedInfo>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <ds:Reference URI="#_bb411a925d8681a8dda676fce24767244f630eede4">
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <ds:Transforms>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] </ds:Transforms>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <ds:DigestValue>L0sRjiM0irPArYaN4eg4XZQrHv8=</ds:DigestValue>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] </ds:Reference>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] </ds:SignedInfo>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <ds:SignatureValue>cyWdteNW50CongdDW/dptNg11XbAxT7w2TLpT/jMEFWeYPuqYfi/QGAkRLsMn24XuO9aec3q58OeVUJJFC8GGwneoKFiaYKshVaUZvmlZ0Ij0kdnkiQUtfWSzEej+P/duqMYeJpAxVV1n5ilOYSwEeCSsG69i/E3uH1WjNpNVpLz2QWLZDmtpwUht/fhTtfOxx4PECm43KeBYqysisFyVv4Hc4eEH+dbzgdT1U2Oz+rSMWEdPREebWmeZrpaL3ERH7TQOkg8+F0fd3asCCJ76VvIUNcpOT7Sj6FnvOf/VInzNypS8M3oI/8e735eBBTKL2g2zKRvzi5uQmeqTD3p8g==</ds:SignatureValue>
Aug 16 18:25:32 simplesamlphp DEBUG [c8e6bc166f] <ds:KeyInfo>
the authsource config:
'eidas-sp' => array(
'saml:SP',
'privatekey' => 'priv-enc.key',
'privatekey_pass' => '{SHA256}oGfWXW0T6Wcn4oaQuYjSCaQb40LGm8H87wn/VICSPM4=',
'certificate' => 'pub-cert.pem',
'metadata.sign.enable' => TRUE,
'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'redirect.sign' => TRUE,
'redirect.validate' => TRUE,
//'encryption.blacklisted-algorithms' => array(),
'sign.authnrequest' => TRUE,
'assertion.encryption' => FALSE,
'WantAssertionsSigned' => TRUE,
'acs.Bindings' => array('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'),
'authproc' => array(20 => array('class' => 'saml:NameIDAttribute', 'format' => '%V',),),
'entityID' => 'urn:etoegang:DV:000000031412xxxx:entities:9001',
'idp' => 'urn:etoegang:HM:00000003271xxxx:entities:9511',
'discoURL' => NULL,
'attributes' => array(
'urn:etoegang:DV:00000003141286080000:services:9001',
'urn:etoegang:1.9:attribute:FirstName',
'urn:etoegang:1.9:attribute:FamilyNameInfix',
'urn:etoegang:1.9:attribute:FamilyName',
'urn:etoegang:1.9:attribute:DateOfBirth',
'urn:etoegang:1.11:attribute:BirthName',
'urn:etoegang:1.9:attribute:Initials',
'urn:etoegang:1.9:attribute:Email',
),
'name' => 'some name',
'attributes.isDefault' => TRUE,
'contacts' => array(
array(
'contactType' => 'technical',
'emailAddress' => 'xxx',
'givenName' => 'xxx',
'surName' => 'xxx',
'telephoneNumber' => 'xxx',
'company' => 'xxxx',
),
),
),
Could anyone point me in the correct direction to resolve this?
Thanks in advance,
Best regards,
Maarten