Shibboleth - opensaml::FatalProfileException

Question

I have configured and installed shibboleth Idp and sp on a Ubuntu machine locally. The Idp is configured with LDAP.

I am trying to access the secure.html file which hosted in Apache and secured by shibboleth sp, So when I try to access the page it would redirect to Idp login page for authentication. When login with the correct username and password I get the following error message:

opensaml::FatalProfileException

The system encountered an error at Wed Oct 15 18:54:04 2014

To report this problem, please contact the site administrator at root@localhost.

Please include the following message in any email:

opensaml::FatalProfileException at (https://idp.example.org:553/Shibboleth.sso/SAML2/POST)

SAML response contained an error.

Error from identity provider:

    Status: urn:oasis:names:tc:SAML:2.0:status:Responder
    Message: Unable to encrypt assertion

Error log:

12:19:55.769 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: https://idp.example.org:553/shibboleth
12:19:55.773 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential

What can cause this error?

Answer 1

Common reasons for this error include being unable to negotiate a mutual encryption algorithm, not having a public key loaded to encrypt the assertion to a particular consumer/SP, and not being able to load a required attribute in the document that is intended to be encrypted. It's most often the missing public key on the IdP that causes it, in my experience.