Package: libshibsp1 Version: 2.0.dfsg1-4 Severity: important When SP contacts IdP to retrieve attributes I receive:
[...] 2009-06-10 11:57:55 DEBUG Shibboleth.SSO.SAML1 [7]: SSO profile processing completed successfully 2009-06-10 11:57:55 DEBUG Shibboleth.SSO.SAML1 [7]: extracting pushed attributes... 2009-06-10 11:57:55 DEBUG Shibboleth.AttributeExtractor [7]: skipping unmapped NameIdentifier with format (urn:mace:shibboleth:1.0:nameIdentifier) 2009-06-10 11:57:55 DEBUG Shibboleth.SSO.SAML1 [7]: resolving attributes... 2009-06-10 11:57:55 DEBUG Shibboleth.AttributeResolver [7]: attempting SAML 1.x attribute query 2009-06-10 11:57:55 DEBUG XMLTooling.SOAPTransport.CURL [7]: getting connection handle to https://omissis.unimore.it:8443/idp/profile/SAML1/SOAP/AttributeQuery 2009-06-10 11:57:55 DEBUG XMLTooling.SOAPTransport.CURL [7]: returning existing connection handle from pool 2009-06-10 11:57:55 DEBUG Shibboleth.SOAPClient [7]: prepping SOAP transport for use by application (default) 2009-06-10 11:57:55 DEBUG XMLTooling.SOAPClient [7]: marshalled envelope: <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2009-06-10T09:57:55Z" MajorVersion="1" MinorVersion="1" RequestID="_0f2c1d1c0433f1f451e1f6b7c175d37b"><samlp:AttributeQuery Resource="https://moodle-idem.unimore.it/shibboleth"><saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">_849af2efb79ae1af2dde5fee76c9b790</saml:NameIdentifier></saml:Subject></samlp:AttributeQuery></samlp:Request></S:Body></S:Envelope> 2009-06-10 11:57:55 DEBUG XMLTooling.SOAPTransport.CURL [7]: sending SOAP message to https://omissis.unimore.it:8443/idp/profile/SAML1/SOAP/AttributeQuery 2009-06-10 11:57:55 DEBUG XMLTooling.SOAPTransport.CURL [7]: invoking custom X.509 verify callback 2009-06-10 11:57:55 DEBUG XMLTooling.TrustEngine.ExplicitKey [7]: attempting to match credentials from peer with end-entity certificate 2009-06-10 11:57:55 DEBUG XMLTooling.TrustEngine.ExplicitKey [7]: end-entity certificate matches peer RSA key information 2009-06-10 11:57:55 ERROR Shibboleth.AttributeResolver [7]: exception during SAML query to https://omissis.unimore.it:8443/idp/profile/SAML1/SOAP/AttributeQuery: CURLSOAPTransport failed while contacting SOAP responder: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table 2009-06-10 11:57:55 ERROR Shibboleth.AttributeResolver [7]: unable to obtain a SAML response from attribute authority [...] It doesn't look a curl issue because sudo curl -v -K .curlrc with $ cat .curlrc url = "https://omissis.unimore.it:8443/idp/profile/SAML1/SOAP/AttributeQuery" cert = "/etc/ssl/certs/moodle-idem.pem" key = "/etc/ssl/private/moodle-idem.key" cacert = "/etc/ssl/certs/scs-chain.pem" data-binary = @soap.xml and $ cat soap.xml <?xml version="1.0" encoding="UTF-8"?> <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> <S:Body> <samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2009-06-10T07:21:37Z" MajorVersion="1" MinorVersion="1" RequestID="_37fd92205b573e2b52d1a27e2e3b2192"> <samlp:AttributeQuery Resource="https://moodle-idem.unimore.it/shibboleth"> <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">_4ba22d464748124ad9d29fb079619bd7</saml:NameIdentifier> </saml:Subject> </samlp:AttributeQuery> </samlp:Request> </S:Body> </S:Envelope> works. More details: the SP is a brand new Debian/etch upgraded to lenny (hosted on XEN). The box is 1 day old, no patching, noting. This configuration used to work since an year, at least till a week ago. No certificates were changed, neither in the IdP nor in the SP. It looks something SP related, as it shows with 3 different IdP (two of this Institution, one from a different University). If it turns it was me to be tha cause of all this mess, please feel free to charge me at least a gift from amazon. Thank you for your attention, Francesco Malvezzi -- System Information: Debian Release: 5.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18.8.xs5.0.0.10.439 (SMP w/1 CPU core) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libshibsp1 depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libgcc1 1:4.3.2-1.1 GCC support library ii liblog4cpp5 1.0-4 C++ library for flexible logging ( ii libsaml2 2.0-2 Security Assertion Markup Language ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3 ii libxerces-c28 2.8.0-3 validating XML parser library for ii libxml-security-c14 1.4.0-3 C++ library for XML Digital Signat ii libxmltooling1 1.0-2 C++ XML parsing library with encry ii opensaml2-schemas 2.0-2 Security Assertion Markup Language ii shibboleth-sp2-schemas 2.0.dfsg1-4 Federated web single sign-on syste ii xmltooling-schemas 1.0-2 XML schemas for XMLTooling libshibsp1 recommends no packages. libshibsp1 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org