我已经在本地的 Ubuntu 机器上配置并安装了 shibboleth Idp 和 sp。Idp 配置了 LDAP。
我正在尝试访问托管在 Apache 中并由 shibboleth sp 保护的 secure.html 文件,因此当我尝试访问该页面时,它会重定向到 Idp 登录页面进行身份验证。使用正确的用户名和密码登录时,我收到以下错误消息:
opensaml::FatalProfileException
The system encountered an error at Wed Oct 15 18:54:04 2014
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
opensaml::FatalProfileException at (https://idp.example.org:553/Shibboleth.sso/SAML2/POST)
SAML response contained an error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Message: Unable to encrypt assertion
错误日志:
12:19:55.769 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: https://idp.example.org:553/shibboleth
12:19:55.773 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
什么可能导致此错误?
答案1
此错误的常见原因包括无法协商相互加密算法、未加载用于加密特定消费者/SP 断言的公钥,以及无法加载要加密的文档中的必需属性。根据我的经验,最常见的原因是 IdP 上缺少公钥。