I have configured and installed shibboleth Idp and sp on a Ubuntu machine locally. The Idp is configured with LDAP.
I am trying to access the secure.html file which hosted in Apache and secured by shibboleth sp, So when I try to access the page it would redirect to Idp login page for authentication. When login with the correct username and password I get the following error message:
opensaml::FatalProfileException
The system encountered an error at Wed Oct 15 18:54:04 2014
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
opensaml::FatalProfileException at (https://idp.example.org:553/Shibboleth.sso/SAML2/POST)
SAML response contained an error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Message: Unable to encrypt assertion
Error log:
12:19:55.769 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: https://idp.example.org:553/shibboleth
12:19:55.773 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
What can cause this error?
Best Answer
Common reasons for this error include being unable to negotiate a mutual encryption algorithm, not having a public key loaded to encrypt the assertion to a particular consumer/SP, and not being able to load a required attribute in the document that is intended to be encrypted. It's most often the missing public key on the IdP that causes it, in my experience.