SAML2 encryption breaks after reload of relying-party.xml
Basics
Logistics
Basics
Logistics
Description
1. Start IdP. 2. Log into SAML2 site requiring encryption of attribute assertion. 3. Touch relying-party.xml and wait for reload. 4. Reopen browser and log into same SAML2 site. This part works fine. 5. Log into a different SAML2 site requiring encryption which has not been used since the IdP node was started. 6. See "opensaml::FatalProfileException" at SP with message "Status: urn:oasis:names:tc:SAML:2.0:status:Responder\nMessage: Unable to encrypt assertion" 7. See IdP exception in log starting with "org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential" 8. Restart IdP. 9. Try site that was "broken". Works fine now.
Changes to and subsequent reload of the metadata file do not resolve the issue. However, changes to the certificate of the affected sites result in expected differing behavior such as failure to recognize the signature of the authentication request. Fixing the certificate back to what it was does not enable encryption to function as it should.
Environment
Sun JVM 1.6.0_33 RedHat Linux Issue occurs with and without Terracotta
1. Start IdP.
2. Log into SAML2 site requiring encryption of attribute assertion.
3. Touch relying-party.xml and wait for reload.
4. Reopen browser and log into same SAML2 site. This part works fine.
5. Log into a different SAML2 site requiring encryption which has not been used since the IdP node was started.
6. See "opensaml::FatalProfileException" at SP with message "Status: urn:oasis:names:tc:SAML:2.0:status:Responder\nMessage: Unable to encrypt assertion"
7. See IdP exception in log starting with "org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential"
8. Restart IdP.
9. Try site that was "broken". Works fine now.
Changes to and subsequent reload of the metadata file do not resolve the issue. However, changes to the certificate of the affected sites result in expected differing behavior such as failure to recognize the signature of the authentication request. Fixing the certificate back to what it was does not enable encryption to function as it should.