This is probably the least tested bit of the saml2 feature. Do open up an issue, and provide your config and CAS logs so we can better diagnose this.
--Misagh From: [email protected] [mailto:[email protected]] On Behalf Of Robert Kornmesser Sent: Tuesday, November 15, 2016 3:17 AM To: CAS Community <[email protected]> Subject: [cas-user] SAML IdP - encrypt assertions Hi all, I am successfully running a CAS 5.0.0 with SAML IdP. I can authenticate against shibbolized service providers as long as i am not encrypting assertions. When i activate "encryptAssertions" in my service i get this error: A valid authentication statement was not found in the incoming message. Using a shibboleth 3 IDP worked before. Here are some Logs: shibd.log 2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: ----- BEGIN SIGNATURE DEBUG ----- 2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";></ds:SignatureMethod> <ds:Reference URI="#_1658058603619518521"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512";></ds:DigestMethod> <ds:DigestValue>zfQy3P72YVRFnpL92vmedxCZ/cmetKLLKS46qohlIBpg28d6D5uYX8jBvFqzRy3/qxhoo49Ew4R4 gC0lwBhS/Q==</ds:DigestValue> </ds:Reference> </ds:SignedInfo> 2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: 2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: ----- END SIGNATURE DEBUG ----- 2016-11-15 11:12:41 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: signature validated with credential 2016-11-15 11:12:41 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: signature verified against message issuer 2016-11-15 11:12:41 DEBUG Shibboleth.SSO.SAML2 [1]: processing message against SAML 2.0 SSO profile 2016-11-15 11:12:41 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 0 certificate(s) 2016-11-15 11:12:41 DEBUG XMLTooling.CredentialCriteria [1]: key algorithm didn't match ('AES' != 'RSA') 2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: XMLSecurity exception while decrypting key: OpenSSL:RSA privateKeyDecrypt - Error removing OAEPadding 2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: unable to decrypt key, generating random key for defensive purposes 2016-11-15 11:12:41 ERROR Shibboleth.SSO.SAML2 [1]: failed to decrypt assertion: XMLSecurity exception while decrypting: Errors occured during de-serialisation of decrypted element content If you need more logs, please tell me. Any one else having problems with encrypted assertions? -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/edb2535a-c79b-49bc-8949-3f95193374fe%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/edb2535a-c79b-49bc-8949-3f95193374fe%40apereo.org?utm_medium=email&utm_source=footer> . -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/00b601d23f5a%24ac3867f0%2404a937d0%24%40unicon.net.
