我已经在本地Ubuntu机器上configuration并安装了shibboleth Idp和sp。 Idp使用LDAP进行configuration。
我试图访问在Apache中托pipe的secure.html文件,并通过shibboleth sp进行保护,所以当我尝试访问该页面时,它将redirect到Idplogin页面进行身份validation。 当用正确的用户名和密码login时,我得到以下错误信息:
opensaml::FatalProfileException The system encountered an error at Wed Oct 15 18:54:04 2014 To report this problem, please contact the site administrator at root@localhost. Please include the following message in any email: opensaml::FatalProfileException at (https://idp.example.org:553/Shibboleth.sso/SAML2/POST) SAML response contained an error. Error from identity provider: Status: urn:oasis:names:tc:SAML:2.0:status:Responder Message: Unable to encrypt assertion 错误日志:
12:19:55.769 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: https://idp.example.org:553/shibboleth 12:19:55.773 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
什么会导致这个错误?
这种错误的常见原因包括无法协商相互encryptionalgorithm,没有加载公开密钥来encryption对特定消费者/ SP的断言,以及不能加载要打算encryption的文档中的所需属性。 根据我的经验,这通常是IdP上缺less的公钥。