On Tuesday, March 22, 2022, 11:26:59 PM GMT+1, Vieri <[email protected]> wrote:
>"No private key available for decrypt, check settings" How does the certificate bit work in layman's terms. My guacamole config is: extension-priority: saml saml-idp-metadata-url: https://idp.domain.org/idp/shibboleth saml-entity-id: https://guacamole.domain.org:8543/HMNsg saml-callback-url: https://guacamole.domain.org:8543/HMNsg saml-debug: true and https://idp.domain.org/idp/shibboleth contains a set of 3 certificates as in this model: <EntityDescriptor entityID="https://idp.domain.org/idp/shibboleth";> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0"> <Extensions> <shibmd:Scope regexp="false">domain.org</shibmd:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> XXX </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> XXX </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> XXX </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.domain.org/idp/profile/SAML1/SOAP/ArtifactResolution"; index="1"/> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.domain.org/idp/profile/SAML2/SOAP/ArtifactResolution"; index="2"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.domain.org/idp/profile/SAML2/Redirect/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.domain.org/idp/profile/SAML2/POST/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.domain.org/idp/profile/SAML2/POST-SimpleSign/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.domain.org:8443/idp/profile/SAML2/SOAP/SLO"/> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.domain.org/idp/profile/Shibboleth/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.domain.org/idp/profile/SAML2/POST/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.domain.org/idp/profile/SAML2/POST-SimpleSign/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.domain.org/idp/profile/SAML2/Redirect/SSO"/> </IDPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol"> <Extensions> <shibmd:Scope regexp="false">domain.org</shibmd:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> XXX </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> XXX </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> XXX </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.domain.org/idp/profile/SAML1/SOAP/AttributeQuery"/> </AttributeAuthorityDescriptor> </EntityDescriptor> I'm running Guacamole with Tomcat on the SP, and the server.xml file contains: <Connector port="8543" protocol="org.apache.coyote.http11.Http11AprProtocol" connectionTimeout="20000" URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="/etc/ssl/tomcat/server.key" certificateFile="/etc/ssl/tomcat/server.crt" certificateChainFile="/etc/ssl/CA-HMN/cacert.pem" type="RSA" /> </SSLHostConfig> </Connector> The IdP admin ask me for the SP's public cert, so I sent him /etc/ssl/tomcat/server.crt. If I still get the "No private key available for decrypt, check settings" message what does that mean? Regards, Vieri --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
