Check the system times (ntp) between the two hosts. -Jeff
On Fri, Mar 31, 2023 at 1:11 AM 'Chris Durham' via CAS Community < [email protected]> wrote: > Hi, > > We've got CAS 6.6.x running beautifully with delegated IDP logins to > multiple SAML providers, but the most recent one we've had to integrate > with is causing me some headaches. > > The initial redirect works fine, but when it comes back CAS displays the > SAML message but then fails to decrypt the SAML message and I can't figure > out why - has anyone come across anything similar before? > > Chris > > Logs.. > > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR > [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <No > valid subject assertion found in response > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Decryption of > assertion failed, continue with the next one> [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.saml.saml2.encryption.Decrypter] - <SAML Decrypter > encountered an error decrypting element content: Failed to decrypt > EncryptedData> [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Failed to decrypt > EncryptedData using either EncryptedData KeyInfoCredentialResolver or > EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Failed to decrypt > EncryptedData using EncryptedKeyResolver> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - <No more resolvers available in the resolver chain> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - <Getting key iterator from next resolver: class > org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - <Getting key iterator from next resolver: class > org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Attempt to decrypt > EncryptedData using key extracted from EncryptedKey failed: > [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Failed to decrypt > EncryptedKey, valid decryption key could not be resolved> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Attempt to decrypt > EncryptedKey using credential from KEK KeyInfo resolver failed: > [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Error decrypting > encrypted key: Unwrapping failed> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm > include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm > exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Validating algorithm > URI against include and exclude lists: algorithm: > http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: null> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm > include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm > exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Validating algorithm > URI against include and exclude lists: algorithm: > http://www.w3.org/2000/09/xmldsig#sha1, included: null, excluded: null> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm > include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm > exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Validating algorithm > URI against include and exclude lists: algorithm: > http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, included: null, > excluded: null> [m > 63ff8111b2f8 [32m2023-03-30 20:01:28,338 INFO > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Mapping from algorithm > URI http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p to key length not > available> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - <Added decryption key > algorithm criteria: RSA> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - <Found matching encrypted key: > org.opensaml.xmlsec.encryption.impl.EncryptedKeyImpl@3c8b684a> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - <Getting key iterator from next resolver: class > org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Comparing issuer > https://shib.oit.duke.edu/shibboleth-idp against > https://xxx.xxx.xxx.xxx/shibboleth-idp> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Successfully > validated signature for entity id https://shib.oit.duke.edu/shibboleth-idp> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - > <Successfully established trust of KeyInfo-derived credential> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator] - > <Successfully validated untrusted credential against trusted key> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - > <Attempting to establish trust of KeyInfo-derived credential> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - > <Successfully verified signature using KeyInfo-derived credential> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - > <Signature validation using candidate credential was successful> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] > - <Signature validated with key from supplied credential> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] > - <Validation credential key algorithm 'RSA', key instance class > 'sun.security.rsa.RSAPublicKeyImpl'> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] > - <Validating signature with signature algorithm URI: > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] > - <Accessing XMLSignature object> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] > - <Attempting to validate signature using key from supplied credential> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.signature.support.SignatureValidationProvider] - > <Using a validation provider of implementation: > org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] > - <Registry could not locate evaluable criteria for criteria class > org.opensaml.xmlsec.keyinfo.KeyInfoCriterion> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <A total of 1 credentials were resolved> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <Credentials successfully extracted from child { > http://www.w3.org/2000/09/xmldsig#}X509Data by provider > org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider] - > <Single certificate was present, treating as end-entity certificate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider] - <Found > 0 X509CRLs> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider] - <Found > 1 X509Certificates> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider] - > <Attempting to extract credential from an X509Data> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data > with provider > org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <Provider > org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider > doesn't handle objects of type { > http://www.w3.org/2000/09/xmldsig#}X509Data, skipping> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <Provider org.opensaml.xmlsec.keyinfo.impl.provider.ECKeyValueProvider > doesn't handle objects of type { > http://www.w3.org/2000/09/xmldsig#}X509Data, skipping> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <Provider org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider > doesn't handle objects of type { > http://www.w3.org/2000/09/xmldsig#}X509Data, skipping> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <Provider org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider > doesn't handle objects of type { > http://www.w3.org/2000/09/xmldsig#}X509Data, skipping> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <Processing KeyInfo child with QName: { > http://www.w3.org/2000/09/xmldsig#}X509Data> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - > <Found 0 key names: []> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - > <Attempting to verify signature and establish trust using KeyInfo-derived > credentials> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] > - <Registry located evaluable criteria class > org.opensaml.security.credential.criteria.impl.EvaluableUsageCredentialCriterion > for criteria class org.opensaml.security.criteria.UsageCriterion> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] > - <Registry could not locate evaluable criteria for criteria class > org.opensaml.saml.criterion.ProtocolCriterion> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] > - <Registry could not locate evaluable criteria for criteria class > org.opensaml.saml.criterion.EntityRoleCriterion> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] > - <Registry located evaluable criteria class > org.opensaml.security.credential.criteria.impl.EvaluableEntityIDCredentialCriterion > for criteria class org.opensaml.core.criterion.EntityIdCriterion> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] > - <Registry located evaluable criteria class > org.opensaml.security.credential.criteria.impl.EvaluableKeyAlgorithmCredentialCriterion > for criteria class org.opensaml.security.criteria.KeyAlgorithmCriterion> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.security.impl.MetadataCredentialResolver] - <Resolved > cached credentials from KeyDescriptor object metadata> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] > - <After predicate filtering 1 RoleDescriptors remain> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] > - <Attempting to filter candidate RoleDescriptors via resolved Predicates> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] > - <Resolved 1 RoleDescriptor candidates via role criteria, performing > predicate filtering> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] > - <Resolved 1 source EntityDescriptors> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] - > <Metadata Resolver DOMMetadataResolver > org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: After > predicate filtering 1 EntityDescriptors remain> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] - > <Metadata Resolver DOMMetadataResolver > org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: Attempting to > filter candidate EntityDescriptors via resolved Predicates> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] - > <Metadata Resolver DOMMetadataResolver > org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: Resolved 1 > candidates via EntityIdCriterion: EntityIdCriterion [id= > https://shib.oit.duke.edu/shibboleth-idp]> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.security.impl.MetadataCredentialResolver] - <Retrieving > role descriptor metadata for entity ' > https://xxxx.xxx.xxx.xxx/shibboleth-idp' in role > '{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor' for protocol > 'urn:oasis:names:tc:SAML:2.0:protocol'> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.security.impl.MetadataCredentialResolver] - <Resolving > credentials from metadata using entityID: > https://xxxx.xxx.xxx.xxx/shibboleth-idp, role: > {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: > urn:oasis:names:tc:SAML:2.0:protocol, usage: SIGNING> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Validating > signature via trust engine for entity id > https://xxxx.xxx.xxx.xxx/shibboleth-idp> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - <Saw > Exclusive C14N signature transform> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG > [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - <Saw > Enveloped signature transform> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG > [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Validating profile > signature for entity id https://xxxx.xxx.xxxx.xxx/shibboleth-idp> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG > [org.opensaml.storage.ReplayCache] - <Value > '_c2f60f96fecc11e9809339258596ad16' was not a replay, adding to cache with > expiration time 2023-03-30T20:06:25.331Z> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG > [org.opensaml.storage.AbstractMapBackedStorageService] - <Read failed, key > '_c2f60f96fecc11e9809339258596ad16' not found in context > 'org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler'> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG > [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler] > - <Message Handler: Evaluating message replay for message ID > '_c2f60f96fecc11e9809339258596ad16', issue instant > '2023-03-30T20:01:25.331Z', entityID ' > https://xxxx.xxx.xxxx.xxx/shibboleth-idp'> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG > [org.opensaml.messaging.handler.AbstractMessageHandler] - <Message > Handler: Activation condition for handler returned true> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,332 DEBUG > [org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver] - > <lastModified: 1678473598041 / newLastModified: 1678473598041 -> > hasChanged: false> [m > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b61d448-9e08-42aa-a677-635051bc449an%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b61d448-9e08-42aa-a677-635051bc449an%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ6KnOrB7M%3D2YfDWUU1oDT%3Dv5NyahH9YOgYXG1sssuTyA%40mail.gmail.com.
