Re: [cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData
Second update - I can reproduce this error with the samltest.id website - which also uses a Shib 3.0 based solution. Would anyone else be willing to create a test against that site to validate whether it's just my configuration or potentially a general CAS issue? Thanks in advance! On Friday, 31 March 2023 at 23:34:19 UTC-5 Chris Durham wrote: > > Hey > > Thanks for those suggestions - finally got to the bottom of it - and Ray, > you were on the right lines... > > The IDP metadata we had got from the client was 'prettily' formatted, > which included helpfully adding carriage returns and spaces after the > X509Certificate start tag and before the end tag - grr.. removing those and > giving CAS those resolved the problem. Will go back to the client and let > them know not to do that for anyone else either! > > Thanks for the help! > Chris > On Friday, 31 March 2023 at 10:41:26 UTC-5 Ray Bon wrote: > >> Chris, >> >> It could be that the vendor is using an encryption certificate different >> from the one you are expecting. >> >> Ray >> >> On Thu, 2023-03-30 at 19:58 -0700, 'Chris Durham' via CAS Community wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> >> Hi, >> >> We've got CAS 6.6.x running beautifully with delegated IDP logins to >> multiple SAML providers, but the most recent one we've had to integrate >> with is causing me some headaches. >> >> The initial redirect works fine, but when it comes back CAS displays the >> SAML message but then fails to decrypt the SAML message and I can't figure >> out why - has anyone come across anything similar before? >> >> Chris >> >> Logs.. >> >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR >> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - > valid subject assertion found in response >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - > assertion failed, continue with the next one> [m >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.opensaml.saml.saml2.encryption.Decrypter] - > encountered an error decrypting element content: Failed to decrypt >> EncryptedData> [m >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using either EncryptedData KeyInfoCredentialResolver or >> EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using EncryptedKeyResolver> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] >> >> - [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] >> >> - > org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver> >> >> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] >> >> - > org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> >> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using key extracted from EncryptedKey failed: > [m >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedKey, valid decryption key could not be resolved> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedKey using credential from KEK KeyInfo resolver failed: > [m >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > encrypted key: Unwrapping failed> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - > include list, nothing to evaluate> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - > exclude list, nothing to evaluate> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > URI against include and exclude lists: algorithm: >> http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: >> null> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - > include list, nothing to evaluate> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - > exclude list, nothing to evaluate> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > URI against include and exclude lists: algorithm: >>
Re: [cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData
Turns out my earlier 'solution' was a red herring. So I'm still stuck with the problem that I can't get CAS to handle this particular IDP which send encrypted responses. I've confirmed that the cert that they are using matches the one in the metadata etc. I'm assuming that if there was a mismatch in times, then that would show up as a skew error rather than a failure to decrypt the message? I'm also assuming that since CAS is trying to decode it, it at least knows it is encrypted - is it possible that the key is not where it's expecting it (and is that a CAS issue for not looking or a provider one for being 'different') - obviously this is a bit of a stretch suggestion as I don't know if it would even be possible to return it in different places within the response! Thanks Chris On Friday, 31 March 2023 at 23:34:19 UTC-5 Chris Durham wrote: > > Hey > > Thanks for those suggestions - finally got to the bottom of it - and Ray, > you were on the right lines... > > The IDP metadata we had got from the client was 'prettily' formatted, > which included helpfully adding carriage returns and spaces after the > X509Certificate start tag and before the end tag - grr.. removing those and > giving CAS those resolved the problem. Will go back to the client and let > them know not to do that for anyone else either! > > Thanks for the help! > Chris > On Friday, 31 March 2023 at 10:41:26 UTC-5 Ray Bon wrote: > >> Chris, >> >> It could be that the vendor is using an encryption certificate different >> from the one you are expecting. >> >> Ray >> >> On Thu, 2023-03-30 at 19:58 -0700, 'Chris Durham' via CAS Community wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> >> Hi, >> >> We've got CAS 6.6.x running beautifully with delegated IDP logins to >> multiple SAML providers, but the most recent one we've had to integrate >> with is causing me some headaches. >> >> The initial redirect works fine, but when it comes back CAS displays the >> SAML message but then fails to decrypt the SAML message and I can't figure >> out why - has anyone come across anything similar before? >> >> Chris >> >> Logs.. >> >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR >> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - > valid subject assertion found in response >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - > assertion failed, continue with the next one> [m >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.opensaml.saml.saml2.encryption.Decrypter] - > encountered an error decrypting element content: Failed to decrypt >> EncryptedData> [m >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using either EncryptedData KeyInfoCredentialResolver or >> EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using EncryptedKeyResolver> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] >> >> - [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] >> >> - > org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver> >> >> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] >> >> - > org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> >> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using key extracted from EncryptedKey failed: > [m >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedKey, valid decryption key could not be resolved> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedKey using credential from KEK KeyInfo resolver failed: > [m >> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > encrypted key: Unwrapping failed> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - > include list, nothing to evaluate> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - > exclude list, nothing to evaluate> [m >> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG >> [org.opensaml.xmlsec.encryption.support.Decrypter] - > URI against include and exclude lists: algorithm: >>
Re: [cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData
Hey Thanks for those suggestions - finally got to the bottom of it - and Ray, you were on the right lines... The IDP metadata we had got from the client was 'prettily' formatted, which included helpfully adding carriage returns and spaces after the X509Certificate start tag and before the end tag - grr.. removing those and giving CAS those resolved the problem. Will go back to the client and let them know not to do that for anyone else either! Thanks for the help! Chris On Friday, 31 March 2023 at 10:41:26 UTC-5 Ray Bon wrote: > Chris, > > It could be that the vendor is using an encryption certificate different > from the one you are expecting. > > Ray > > On Thu, 2023-03-30 at 19:58 -0700, 'Chris Durham' via CAS Community wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi, > > We've got CAS 6.6.x running beautifully with delegated IDP logins to > multiple SAML providers, but the most recent one we've had to integrate > with is causing me some headaches. > > The initial redirect works fine, but when it comes back CAS displays the > SAML message but then fails to decrypt the SAML message and I can't figure > out why - has anyone come across anything similar before? > > Chris > > Logs.. > > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR > [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - valid subject assertion found in response > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - assertion failed, continue with the next one> [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.saml.saml2.encryption.Decrypter] - encountered an error decrypting element content: Failed to decrypt > EncryptedData> [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedData using either EncryptedData KeyInfoCredentialResolver or > EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedData using EncryptedKeyResolver> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > > - [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > > - org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver> > > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > > - org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedData using key extracted from EncryptedKey failed: > [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedKey, valid decryption key could not be resolved> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedKey using credential from KEK KeyInfo resolver failed: > [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - encrypted key: Unwrapping failed> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - URI against include and exclude lists: algorithm: > http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: null> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - URI against include and exclude lists: algorithm: > http://www.w3.org/2000/09/xmldsig#sha1, included: null, excluded: null> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - URI against include and
Re: [cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData
Chris, It could be that the vendor is using an encryption certificate different from the one you are expecting. Ray On Thu, 2023-03-30 at 19:58 -0700, 'Chris Durham' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, We've got CAS 6.6.x running beautifully with delegated IDP logins to multiple SAML providers, but the most recent one we've had to integrate with is causing me some headaches. The initial redirect works fine, but when it comes back CAS displays the SAML message but then fails to decrypt the SAML message and I can't figure out why - has anyone come across anything similar before? Chris Logs.. 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.saml.saml2.encryption.Decrypter] - [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: null> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2000/09/xmldsig#sha1, included: null, excluded: null> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, included: null, excluded: null> [m 63ff8111b2f8 [32m2023-03-30 20:01:28,338 INFO [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p to key length not available> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - https://shib.oit.duke.edu/shibboleth-idp against https://xxx.xxx.xxx.xxx/shibboleth-idp> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - https://shib.oit.duke.edu/shibboleth-idp> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG
Re: [cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData
Check the system times (ntp) between the two hosts. -Jeff On Fri, Mar 31, 2023 at 1:11 AM 'Chris Durham' via CAS Community < cas-user@apereo.org> wrote: > Hi, > > We've got CAS 6.6.x running beautifully with delegated IDP logins to > multiple SAML providers, but the most recent one we've had to integrate > with is causing me some headaches. > > The initial redirect works fine, but when it comes back CAS displays the > SAML message but then fails to decrypt the SAML message and I can't figure > out why - has anyone come across anything similar before? > > Chris > > Logs.. > > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR > [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - valid subject assertion found in response > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - assertion failed, continue with the next one> [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.saml.saml2.encryption.Decrypter] - encountered an error decrypting element content: Failed to decrypt > EncryptedData> [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedData using either EncryptedData KeyInfoCredentialResolver or > EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedData using EncryptedKeyResolver> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedData using key extracted from EncryptedKey failed: > [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedKey, valid decryption key could not be resolved> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - EncryptedKey using credential from KEK KeyInfo resolver failed: > [m > 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR > [org.opensaml.xmlsec.encryption.support.Decrypter] - encrypted key: Unwrapping failed> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - URI against include and exclude lists: algorithm: > http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: null> > [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - URI against include and exclude lists: algorithm: > http://www.w3.org/2000/09/xmldsig#sha1, included: null, excluded: null> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - include list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - exclude list, nothing to evaluate> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - URI against include and exclude lists: algorithm: > http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, included: null, > excluded: null> [m > 63ff8111b2f8 [32m2023-03-30 20:01:28,338 INFO > [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - URI http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p to key length not > available> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.Decrypter] - algorithm criteria: RSA> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > - org.opensaml.xmlsec.encryption.impl.EncryptedKeyImpl@3c8b684a> [m > 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG > [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] > -
[cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData
Hi, We've got CAS 6.6.x running beautifully with delegated IDP logins to multiple SAML providers, but the most recent one we've had to integrate with is causing me some headaches. The initial redirect works fine, but when it comes back CAS displays the SAML message but then fails to decrypt the SAML message and I can't figure out why - has anyone come across anything similar before? Chris Logs.. 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.saml.saml2.encryption.Decrypter] - [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: null> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2000/09/xmldsig#sha1, included: null, excluded: null> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, included: null, excluded: null> [m 63ff8111b2f8 [32m2023-03-30 20:01:28,338 INFO [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p to key length not available> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - https://shib.oit.duke.edu/shibboleth-idp against https://xxx.xxx.xxx.xxx/shibboleth-idp> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - https://shib.oit.duke.edu/shibboleth-idp> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> [m 63ff8111b2f8