This is probably the least tested bit of the saml2 feature. Do open up an issue, and provide your config and CAS logs so we can better diagnose this.
--Misagh From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Robert Kornmesser Sent: Tuesday, November 15, 2016 3:17 AM To: CAS Community <cas-user@apereo.org> Subject: [cas-user] SAML IdP - encrypt assertions Hi all, I am successfully running a CAS 5.0.0 with SAML IdP. I can authenticate against shibbolized service providers as long as i am not encrypting assertions. When i activate "encryptAssertions" in my service i get this error: A valid authentication statement was not found in the incoming message. Using a shibboleth 3 IDP worked before. Here are some Logs: shibd.log 2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: ----- BEGIN SIGNATURE DEBUG ----- 2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";></ds:SignatureMethod> <ds:Reference URI="#_1658058603619518521"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512";></ds:DigestMethod> <ds:DigestValue>zfQy3P72YVRFnpL92vmedxCZ/cmetKLLKS46qohlIBpg28d6D5uYX8jBvFqzRy3/qxhoo49Ew4R4 gC0lwBhS/Q==</ds:DigestValue> </ds:Reference> </ds:SignedInfo> 2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: 2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: ----- END SIGNATURE DEBUG ----- 2016-11-15 11:12:41 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: signature validated with credential 2016-11-15 11:12:41 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: signature verified against message issuer 2016-11-15 11:12:41 DEBUG Shibboleth.SSO.SAML2 [1]: processing message against SAML 2.0 SSO profile 2016-11-15 11:12:41 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 0 certificate(s) 2016-11-15 11:12:41 DEBUG XMLTooling.CredentialCriteria [1]: key algorithm didn't match ('AES' != 'RSA') 2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: XMLSecurity exception while decrypting key: OpenSSL:RSA privateKeyDecrypt - Error removing OAEPadding 2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: unable to decrypt key, generating random key for defensive purposes 2016-11-15 11:12:41 ERROR Shibboleth.SSO.SAML2 [1]: failed to decrypt assertion: XMLSecurity exception while decrypting: Errors occured during de-serialisation of decrypted element content If you need more logs, please tell me. Any one else having problems with encrypted assertions? -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/edb2535a-c79b-49bc-8949-3f95193374fe%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/edb2535a-c79b-49bc-8949-3f95193374fe%40apereo.org?utm_medium=email&utm_source=footer> . -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/00b601d23f5a%24ac3867f0%2404a937d0%24%40unicon.net.
