Unprecise error message when wrong certificate is used for SAML2 encryption

Description

While recently configuring most of our services to use a discovery service (versus a WAYF) we noticed a got a couple of errors with IdPs encrypting SAML2 assertions using the wrong certificate. This may happen when both the IdP and SP are trusting both our test and production federation.

It has been very hard for us to determine the origin of the problem and to fix it mostly because the SP logs didn't help much.

Here is what it looked like :
2012-05-10 15:08:40 DEBUG XMLTooling.CredentialCriteria [29470]: credential name(s) didn't overlap
2012-05-10 15:08:40 ERROR Shibboleth.SSO.SAML2 [29470]: Unable to resolve any key decryption keys.

It's misleading because we had no credential name issue.
It would greatly help if you could add an additional error log entry that tells the SP could not decrypt the assertion.

Thanks

Environment

None

Activity

Scott Cantor May 31, 2012 at 5:52 PM

Fixed

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Affects versions

Created May 29, 2012 at 2:40 PM
Updated May 31, 2012 at 5:53 PM
Resolved May 31, 2012 at 5:53 PM