'Re: Message was signed, but signature could not be verified.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Message was signed, but signature could not be verified.
From:       Nate Klingenstein <ndk () sudonym ! me>
Date:       2022-07-12 20:10:37
Message-ID: CA+eXai5by78GHQjPXY_-8BvHrdmAU7j-+quUKGY5rBJHtvO=rw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Arthur,

Is this correct?
>

Yes.


> Given this, how does one DIRECTLY confirm that shibd is properly
> configured to verify messages sent by its configured IdP?
>

I'm not aware of any way to get it to output the certificate that it's
using for validation, though it might be doable on TRACE.  But really,
that's trying much too hard.

You just need to make sure the entityID in the assertion matches the
entityID in the metadata and the key used to sign the assertion matches the
key for signature in the metadata loaded by the SP for that entityID.
That's it.  If something doesn't match, fix it.

Hope this helps,
Nate

[Attachment #5 (text/html)]

<div dir="ltr"><div>Arthur,</div><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr"><br></div><blockquote class="gmail_quote" style="margin:0px 0px \
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US" \
style="overflow-wrap: break-word;"><div \
class="gmail-m_5720938149632839480WordSection1"> <p class="MsoNormal"><span \
style="font-size:11pt">Is this \
correct?</span></p></div></div></blockquote><div><br></div><div>Yes.</div><div>  \
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US" style="overflow-wrap: \
break-word;"><div class="gmail-m_5720938149632839480WordSection1"><p \
class="MsoNormal"><span style="font-size:11pt">Given this, how does one DIRECTLY \
confirm that shibd is properly configured to verify messages sent by its configured \
IdP?</span></p></div></div></blockquote><div><br></div><div>I&#39;m not aware of any \
way to get it to output the certificate that it&#39;s using for validation, though it \
might be doable on TRACE.   But really, that&#39;s trying much too \
hard.</div><div><br></div><div>You just need to make sure the entityID in the \
assertion matches the entityID in the metadata and the key used to sign the assertion \
matches the key for signature in the metadata loaded by the SP for that entityID.   \
That&#39;s it.   If something doesn&#39;t match, fix \
it.</div><div><br></div><div>Hope this helps,</div><div>Nate</div></div></div>



-- 
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic