Unable to decrypt the Assertion when changing issuer for the AuthnRequest to the upstream IdP via RelyingPartyConfiguration
Fixed
Description fields
Basics
Logistics
Basics
Logistics
Description
Description:
Changed the issuer for a RelyingPartyOverride and the request was then sent to the upstream IdP with the changed issuer and it responded as expected. But when the EncryptedAssertion came back the proxy failed to decrypt it.
Information:
Log after the signature verification:
2024-04-03 10:30:17,773 - 172.234.96.182 - DEBUG [org.apache.xml.security.signature.Reference:799] - Verification successful for URI "#_10f331ec703a73289653d99c248f3045" 2024-04-03 10:30:17,773 - 172.234.96.182 - DEBUG [org.apache.xml.security.signature.Manifest:341] - The Reference has Type 2024-04-03 10:30:17,783 - 172.234.96.182 - ERROR [org.opensaml.xmlsec.encryption.support.Decrypter:605] - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver 2024-04-03 10:30:17,783 - 172.234.96.182 - ERROR [org.opensaml.saml.saml2.encryption.Decrypter:182] - SAML Decrypter encountered an error decrypting element content: Failed to decrypt EncryptedData 2024-04-03 10:30:17,783 - 172.234.96.182 - WARN [org.opensaml.saml.saml2.profile.impl.DecryptAssertions:71] - Profile Action DecryptAssertions: Failure performing decryption
It seems to not being able to find the key for decryption when I change the issuer.
Environment
Setup is Shib 5.1.1 as proxy, registered at a federation as two different SP:s with the same certificate and keys. Running as a docker image based on redhat/ubi8, openjdk17, jetty 11.0.20 on kubernetes.
Description:
Changed the issuer for a RelyingPartyOverride and the request was then sent to the upstream IdP with the changed issuer and it responded as expected. But when the EncryptedAssertion came back the proxy failed to decrypt it.
Information:
Log after the signature verification:
2024-04-03 10:30:17,773 - 172.234.96.182 - DEBUG [org.apache.xml.security.signature.Reference:799] - Verification successful for URI "#_10f331ec703a73289653d99c248f3045"
2024-04-03 10:30:17,773 - 172.234.96.182 - DEBUG [org.apache.xml.security.signature.Manifest:341] - The Reference has Type
2024-04-03 10:30:17,783 - 172.234.96.182 - ERROR [org.opensaml.xmlsec.encryption.support.Decrypter:605] - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
2024-04-03 10:30:17,783 - 172.234.96.182 - ERROR [org.opensaml.saml.saml2.encryption.Decrypter:182] - SAML Decrypter encountered an error decrypting element content: Failed to decrypt EncryptedData
2024-04-03 10:30:17,783 - 172.234.96.182 - WARN [org.opensaml.saml.saml2.profile.impl.DecryptAssertions:71] - Profile Action DecryptAssertions: Failure performing decryption
The relying party override looks like this:
<bean parent="RelyingPartyByTag">
<constructor-arg name="candidates">
<list>
<bean parent="TagCandidate" c:name="http://macedir.org/entity-category"
p:values="http://id.swedenconnect.se/contract/sc/prepaid-auth-2021"/>
</list>
</constructor-arg>
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="true" p:signAssertions="true" p:signRequests="true" p:forceAuthn="true" p:checkAddress="false"/>
<bean parent="SAML2.Logout" p:encryptNameIDs="false"/>
</list>
</property>
<property name="issuer" value="https://nereid.stenlund.eu/idp"/>
</bean>
It seems to not being able to find the key for decryption when I change the issuer.