Can't seem to validate returned, signed message

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Can't seem to validate returned, signed message

jkandiko
I'm trying to integrate with a remote IdP.  I've taken their metadata and see that it is loading up correctly from the log files:

2010-09-28 13:37:40 DEBUG OpenSAML.MetadataProvider.XML : using local resource (E:\opt\shibboleth-sp\etc\shibboleth\IdP-SAML.xml), will monitor for changes

The user gets redirected to the IdP's login site and authenticates.  When they return, the user gets the dreaded 'Message was signed, but signature could not be verified.':

2010-09-28 13:37:51 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: extracting issuer from SAML 2.0 protocol message
2010-09-28 13:37:51 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: message from (idpoc.firebird.net)
2010-09-28 13:37:51 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: searching metadata for message issuer...
2010-09-28 13:37:51 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]: evaluating message flow policy (replay checking on, expiration 60)
2010-09-28 13:37:51 DEBUG XMLTooling.StorageService [1]: inserted record (_f35cc01503147afc25bef9185369f64398a0) in context (MessageFlow)
2010-09-28 13:37:51 DEBUG Shibboleth.SSO.SAML2 [1]: processing message against SAML 2.0 SSO profile
2010-09-28 13:37:51 DEBUG Shibboleth.SSO.SAML2 [1]: extracting issuer from SAML 2.0 assertion
2010-09-28 13:37:51 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]: evaluating message flow policy (replay checking on, expiration 60)
2010-09-28 13:37:51 DEBUG XMLTooling.StorageService [1]: inserted record (_c7f029909b19560e0e819fc9b746cfcd04a8) in context (MessageFlow)
2010-09-28 13:37:51 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2010-09-28 13:37:51 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: unable to validate signature, no credentials available from peer
2010-09-28 13:37:51 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine


The metadata file contains the X509 cert like all the examples.  Here's how the shibboleth configuration file looks like (ApplicationDefaults section)

<ApplicationDefaults id="default" entityID="https://firebird.edu/shibboleth-sp" policyId="default" REMOTE_USER="eppn" homeURL="https://firebird.edu/index.html">
- <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="false">
  <SessionInitiator type="SAML2" Location="/" isDefault="true" entityID="idpoc.firebird.net" acsIndex="1" /> 
-  
  <md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" /> 
  <md:AssertionConsumerService Location="/SAML/POST" index="6" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" /> 
  <Handler type="MetadataGenerator" Location="/Metadata" signing="false" /> 
  <Handler type="Status" Location="/Status" acl="127.0.0.1" /> 
  <Handler type="Session" Location="/Session" /> 
  </Sessions>
-  
  <Errors session="sessionError.html" metadata="metadataError.html" access="accessError.html" ssl="sslError.html" supportContact="kandiko@wisc.edu" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css" /> 
  <MetadataProvider type="XML" file="E:\opt\shibboleth-sp\etc\shibboleth\IdP-SAML.xml" /> 
-  
  <TrustEngine type="ExplicitKey" /> 
  <AttributeExtractor type="XML" path="attribute-map.xml" /> 
  <AttributeResolver type="Query" /> 
  <AttributeFilter type="XML" path="attribute-policy.xml" /> 
-  
  <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem" /> 
  </ApplicationDefaults>

Is there someplace in the shib config file that I'm missing that should allow the signature to be verified?