Chris, It could be that the vendor is using an encryption certificate different from the one you are expecting.
Ray On Thu, 2023-03-30 at 19:58 -0700, 'Chris Durham' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, We've got CAS 6.6.x running beautifully with delegated IDP logins to multiple SAML providers, but the most recent one we've had to integrate with is causing me some headaches. The initial redirect works fine, but when it comes back CAS displays the SAML message but then fails to decrypt the SAML message and I can't figure out why - has anyone come across anything similar before? Chris Logs.. 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <No valid subject assertion found in response 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Decryption of assertion failed, continue with the next one> [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.saml.saml2.encryption.Decrypter] - <SAML Decrypter encountered an error decrypting element content: Failed to decrypt EncryptedData> [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - <Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - <Failed to decrypt EncryptedData using EncryptedKeyResolver> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - <No more resolvers available in the resolver chain> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - <Getting key iterator from next resolver: class org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - <Getting key iterator from next resolver: class org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - <Attempt to decrypt EncryptedData using key extracted from EncryptedKey failed: > [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - <Failed to decrypt EncryptedKey, valid decryption key could not be resolved> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - <Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed: > [m 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR [org.opensaml.xmlsec.encryption.support.Decrypter] - <Error decrypting encrypted key: Unwrapping failed> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm include list, nothing to evaluate> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm exclude list, nothing to evaluate> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - <Validating algorithm URI against include and exclude lists: algorithm: http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: null> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm include list, nothing to evaluate> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm exclude list, nothing to evaluate> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - <Validating algorithm URI against include and exclude lists: algorithm: http://www.w3.org/2000/09/xmldsig#sha1, included: null, excluded: null> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm include list, nothing to evaluate> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Saw null algorithm exclude list, nothing to evaluate> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - <Validating algorithm URI against include and exclude lists: algorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, included: null, excluded: null> [m 63ff8111b2f8 [32m2023-03-30 20:01:28,338 INFO [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - <Mapping from algorithm URI http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p to key length not available> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.Decrypter] - <Added decryption key algorithm criteria: RSA> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - <Found matching encrypted key: org.opensaml.xmlsec.encryption.impl.EncryptedKeyImpl@3c8b684a> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator] - <Getting key iterator from next resolver: class org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Comparing issuer https://shib.oit.duke.edu/shibboleth-idp against https://xxx.xxx.xxx.xxx/shibboleth-idp> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Successfully validated signature for entity id https://shib.oit.duke.edu/shibboleth-idp> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - <Successfully established trust of KeyInfo-derived credential> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator] - <Successfully validated untrusted credential against trusted key> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - <Attempting to establish trust of KeyInfo-derived credential> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - <Successfully verified signature using KeyInfo-derived credential> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - <Signature validation using candidate credential was successful> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,337 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - <Signature validated with key from supplied credential> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - <Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - <Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - <Accessing XMLSignature object> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl] - <Attempting to validate signature using key from supplied credential> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.signature.support.SignatureValidationProvider] - <Using a validation provider of implementation: org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] - <Registry could not locate evaluable criteria for criteria class org.opensaml.xmlsec.keyinfo.KeyInfoCriterion> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <A total of 1 credentials were resolved> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider] - <Single certificate was present, treating as end-entity certificate> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider] - <Found 0 X509CRLs> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,335 DEBUG [org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider] - <Found 1 X509Certificates> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider] - <Attempting to extract credential from an X509Data> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <Provider org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <Provider org.opensaml.xmlsec.keyinfo.impl.provider.ECKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <Provider org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <Provider org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <Processing KeyInfo child with QName: {http://www.w3.org/2000/09/xmldsig#}X509Data> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver] - <Found 0 key names: []> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - <Attempting to verify signature and establish trust using KeyInfo-derived credentials> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] - <Registry located evaluable criteria class org.opensaml.security.credential.criteria.impl.EvaluableUsageCredentialCriterion for criteria class org.opensaml.security.criteria.UsageCriterion> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] - <Registry could not locate evaluable criteria for criteria class org.opensaml.saml.criterion.ProtocolCriterion> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] - <Registry could not locate evaluable criteria for criteria class org.opensaml.saml.criterion.EntityRoleCriterion> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] - <Registry located evaluable criteria class org.opensaml.security.credential.criteria.impl.EvaluableEntityIDCredentialCriterion for criteria class org.opensaml.core.criterion.EntityIdCriterion> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry] - <Registry located evaluable criteria class org.opensaml.security.credential.criteria.impl.EvaluableKeyAlgorithmCredentialCriterion for criteria class org.opensaml.security.criteria.KeyAlgorithmCriterion> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver] - <Resolved cached credentials from KeyDescriptor object metadata> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] - <After predicate filtering 1 RoleDescriptors remain> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] - <Attempting to filter candidate RoleDescriptors via resolved Predicates> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] - <Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] - <Resolved 1 source EntityDescriptors> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] - <Metadata Resolver DOMMetadataResolver org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: After predicate filtering 1 EntityDescriptors remain> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] - <Metadata Resolver DOMMetadataResolver org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: Attempting to filter candidate EntityDescriptors via resolved Predicates> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] - <Metadata Resolver DOMMetadataResolver org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: Resolved 1 candidates via EntityIdCriterion: EntityIdCriterion [id=https://shib.oit.duke.edu/shibboleth-idp]> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver] - <Retrieving role descriptor metadata for entity 'https://xxxx.xxx.xxx.xxx/shibboleth-idp' in role '{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor' for protocol 'urn:oasis:names:tc:SAML:2.0:protocol'> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver] - <Resolving credentials from metadata using entityID: https://xxxx.xxx.xxx.xxx/shibboleth-idp, role: {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: urn:oasis:names:tc:SAML:2.0:protocol, usage: SIGNING> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Validating signature via trust engine for entity id https://xxxx.xxx.xxx.xxx/shibboleth-idp> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - <Saw Exclusive C14N signature transform> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,334 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - <Saw Enveloped signature transform> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - <Validating profile signature for entity id https://xxxx.xxx.xxxx.xxx/shibboleth-idp> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG [org.opensaml.storage.ReplayCache] - <Value '_c2f60f96fecc11e9809339258596ad16' was not a replay, adding to cache with expiration time 2023-03-30T20:06:25.331Z> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG [org.opensaml.storage.AbstractMapBackedStorageService] - <Read failed, key '_c2f60f96fecc11e9809339258596ad16' not found in context 'org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler'> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler] - <Message Handler: Evaluating message replay for message ID '_c2f60f96fecc11e9809339258596ad16', issue instant '2023-03-30T20:01:25.331Z', entityID 'https://xxxx.xxx.xxxx.xxx/shibboleth-idp'> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,333 DEBUG [org.opensaml.messaging.handler.AbstractMessageHandler] - <Message Handler: Activation condition for handler returned true> [m 63ff8111b2f8 [36m2023-03-30 20:01:28,332 DEBUG [org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver] - <lastModified: 1678473598041 / newLastModified: 1678473598041 -> hasChanged: false> [m -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/66ee743de3b03f00fd4fec8a274bf0a9e0e46795.camel%40uvic.ca.