Unable to establish security of incoming assertion.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to establish security of incoming assertion.

Jonathan Gershater
I setup an SP and IdP, latest version
 
IdP is configured for LDAP auth. I get the authentication screen and login successfully
 
Then I get a screen in the browser:

opensaml::FatalProfileException

The system encountered an error at Fri Jun 19 11:17:49 2009

To report this problem, please contact the site administrator at [hidden email].

Please include the following message in any email:

opensaml::FatalProfileException at (https://shibsp.adaranet.com/Shibboleth.sso/SAML2/POST)

Unable to establish security of incoming assertion.

 
In the Shibd.log file I see this:
-----------------------------------
2009-06-19 11:17:49 WARN OpenSAML.MessageDecoder.SAML2 [2]: no metadata found, can't establish identity of issuer (UsernamePassword)
2009-06-19 11:17:49 WARN Shibboleth.SSO.SAML2 [2]: no metadata found, can't establish identity of issuer (UsernamePassword)
2009-06-19 11:17:49 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Unable to establish security of incoming assertion.
----------------------------------------------------------------------------------------------------
yet earlier in the log I do see the metadata successfully loaded:
 
2009-06-19 11:17:28 INFO Shibboleth.Listener : registered remoted message endpoint (default/Metadata)
2009-06-19 11:17:28 INFO Shibboleth.Listener : registered remoted message endpoint (default/Status)
2009-06-19 11:17:28 INFO Shibboleth.Application : building MetadataProvider of type Chaining...
2009-06-19 11:17:28 INFO OpenSAML.Metadata.Chaining : building MetadataProvider of type XML
2009-06-19 11:17:28 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/etc/shibboleth/idp-metadata.xml)
2009-06-19 11:17:28 INFO Shibboleth.Application : building TrustEngine of type Chaining...
2009-06-19 11:17:28 INFO XMLTooling.TrustEngine.Chaining : building TrustEngine of type ExplicitKey
2009-06-19 11:17:28 INFO XMLTooling.TrustEngine.Chaining : building TrustEngine of type PKIX
2009-06-19 11:17:28 INFO Shibboleth.Application : building AttributeExtractor of type XML...
2009-06-19 11:17:28 INFO Shibboleth.AttributeExtractor.XML : loaded XML resource (/etc/shibboleth/attribute-map.xml)
2009-06-19 11:17:28 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonPrincipalName
-------------------------------------------------------------------
 
Attached is the idp-metadata.xml file
I copied it from the IDP and added the :8443 port to the https URL
 
what is wrong with the metadata?
 
thank you

idp-metadata.xml (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Unable to establish security of incoming assertion.

Nate Klingenstein
Jonathan,

The trouble is that you seem to have changed your entityID to  
"UsernamePassword" in relying-party.xml.  If you change that to https://ShibbolethIDP.adaranet.com:8443/shibboleth 
  to match your metadata, you'll have better luck.

Take care,
Nate.

On Jun 19, 2009, at 6:28 PM, Jonathan Gershater wrote:

> 2009-06-19 11:17:49 WARN OpenSAML.MessageDecoder.SAML2 [2]: no  
> metadata found, can't establish identity of issuer (UsernamePassword)
> 2009-06-19 11:17:49 WARN Shibboleth.SSO.SAML2 [2]: no metadata  
> found, can't establish identity of issuer (UsernamePassword)
> 2009-06-19 11:17:49 WARN Shibboleth.SSO.SAML2 [2]: detected a  
> problem with assertion: Unable to establish security of incoming  
> assertion.
> ----------------------------------------------------------------------------------------------------

Reply | Threaded
Open this post in threaded view
|

Re: Unable to establish security of incoming assertion.

Jonathan Gershater
In reply to this post by Jonathan Gershater

Nate,
That worked!
thank  you