Fixed
Pinned fields
Click on the next to a field label to start pinning.
Details
Details
Assignee
Scott Cantor
Scott CantorReporter
Olivier Sal
Olivier SalOriginal estimate
Components
Fix versions
Affects versions
Created May 29, 2012 at 2:40 PM
Updated May 31, 2012 at 5:53 PM
Resolved May 31, 2012 at 5:53 PM
While recently configuring most of our services to use a discovery service (versus a WAYF) we noticed a got a couple of errors with IdPs encrypting SAML2 assertions using the wrong certificate. This may happen when both the IdP and SP are trusting both our test and production federation.
It has been very hard for us to determine the origin of the problem and to fix it mostly because the SP logs didn't help much.
Here is what it looked like :
2012-05-10 15:08:40 DEBUG XMLTooling.CredentialCriteria [29470]: credential name(s) didn't overlap
2012-05-10 15:08:40 ERROR Shibboleth.SSO.SAML2 [29470]: Unable to resolve any key decryption keys.
It's misleading because we had no credential name issue.
It would greatly help if you could add an additional error log entry that tells the SP could not decrypt the assertion.
Thanks