unable to validate signature

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

unable to validate signature

brian.f.lewis

Hi,
I'm trying to setup an SP with Shibboleth 2. I had it working with TestShib, but I'm now trying to set it up with our internal IdP. I've seen several posts from people with the same issue but the solutions I've seen haven't helped yet.

Here's the error:
2009-06-17 12:30:58 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2009-06-17 12:30:58 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: unable to validate signature, no credentials available from peer
2009-06-17 12:30:58 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine

The IdP metadata appears to be loading ok. I checked that the cert in the metadata matches the certificate in the assertion that the SP receives. The IdP entityID is the same on the SP and IdP side. I've tried creating all new certificates and private keys.

I have setup my IdP public key on the SP using the following:

<RelyingParty Name="federation.gsk.com" keyName="SpecialKey"/>
...                
<TrustEngine type="Chaining">
            <TrustEngine type="ExplicitKey"/>
            <!--<TrustEngine type="PKIX"/>-->
</TrustEngine>
...
        <CredentialResolver type="Chaining">
                <CredentialResolver keyName="Default" type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
                <CredentialResolver keyName="SpecialKey" type="File" certificate="idp-public-key.pem"/>
                <CredentialResolver type="File" certificate="ca.1024.pem"/>
        </CredentialResolver>

Does this look correct?  Can you configure a CA cert in the CredentialResolver this way? I haven't seen anywhere in the SP docs that discuss CA Certs, except that CAPath is deprecated.
Any advice would be greatly appreciated, at this point I am stumped.

Thanks!
Brian
Reply | Threaded
Open this post in threaded view
|

Re: unable to validate signature

Nate Klingenstein
Brian,

The configuration of your SP's keys and certificates in the sections you describe enumerate the keys and certificates that the SP itself will use when transacting with specific IdP's.  In this case, it looks like you've configured your SP to attempt to use the IdP's key as its own.  You also supplied only the certificate, and no key.


Trust of your counterparties is configured via metadata.  You can certainly put root certificates in the metadata if you'd like and use that for your trust establishment.  We recommend against it for large, distributed deployments for a variety of reasons, but it's certainly doable.

The first thing I'd do is remove the extra key and certificate configuration and just use the SP and IdP's standard keys and certificates.  You can then incrementally move towards using different keys and certificates if you need to once you've established that that works.

Hope this helps,
Nate.

On Jun 17, 2009, at 9:00 PM, [hidden email] wrote:


Hi,
I'm trying to setup an SP with Shibboleth 2. I had it working with TestShib, but I'm now trying to set it up with our internal IdP. I've seen several posts from people with the same issue but the solutions I've seen haven't helped yet.

Here's the error:
2009-06-17 12:30:58 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2009-06-17 12:30:58 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: unable to validate signature, no credentials available from peer
2009-06-17 12:30:58 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine

The IdP metadata appears to be loading ok. I checked that the cert in the metadata matches the certificate in the assertion that the SP receives. The IdP entityID is the same on the SP and IdP side. I've tried creating all new certificates and private keys.

I have setup my IdP public key on the SP using the following:

<RelyingParty Name="federation.gsk.com" keyName="SpecialKey"/>
...                
<TrustEngine type="Chaining">
            <TrustEngine type="ExplicitKey"/>
            <!--<TrustEngine type="PKIX"/>-->
</TrustEngine>
...
        <CredentialResolver type="Chaining">
                <CredentialResolver keyName="Default" type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
                <CredentialResolver keyName="SpecialKey" type="File" certificate="idp-public-key.pem"/>
                <CredentialResolver type="File" certificate="ca.1024.pem"/>
        </CredentialResolver>

Does this look correct?  Can you configure a CA cert in the CredentialResolver this way? I haven't seen anywhere in the SP docs that discuss CA Certs, except that CAPath is deprecated.
Any advice would be greatly appreciated, at this point I am stumped.

Thanks!
Brian