How do I change the certificate of a Shibboleth service provider? I have an existing identity provider (IDP) and service provider (SP) and I need to replace the certificate with a Verisign signed cert. I am testing with a self-signed cert created with the Shibboleth etc/shibboleth/keygen.bat.
I have added the new cert & key as a standby CredentialResolver in shibboleth2.xml for the SP:
<CredentialResolver keyName="Standby" type="File" key="D:/tmp/sp-key-qa.pem" certificate="D:/tmp/sp-cert-qa.pem"/>
I have updated the metadata for the IDP by adding the cert in the metadata file:
relying-party.xml:
<metadata:MetadataProvider id="CMSMd" xsi:type="metadata:ResourceBackedMetadataPro$
<metadata:MetadataResource xsi:type="resource:FilesystemResource" file="/usr/s$
</metadata:MetadataProvider>
metadata.xml:
<KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDMDCCAhigAwIBAgIJAJ1BXaNNWMHhMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV
...
And it works up to that point. However, when I comment out the old certificate from the metadata on the IDP and restart, then it fails.
metadata.xml:
<!-- Old cert
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFjjCCA3agAwIBAgICAsowDQYJKoZIhvcNAQEFBQAwgaAxCzAJBgNVBAYTAlVT
...
When I try to access the protected URL, it redirects correctly to the IDP, I authenticate, it redirects to the SP at the URL /Shibboleth.sso/SAML2/Artifact?SAMLart=AAQAAilR... and fails with 'Internal Server Error. Please contact the site administrator.' in the browser.
In the IDP log, it says
10:14:12.124 - ERROR [org.opensaml.ws.security.provider.ClientCertAuthRule:156] - Authentication via client certificate failed for context presenter entity ID urn:company:cms
10:14:12.154 - DEBUG [PROTOCOL_MESSAGE:64] -
<?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Body>
<saml2p:ArtifactResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_6cbe5f5c3327d6bea5223322eb637a75" InResponseTo="_d7eda74f5805219b22c4e5be2fe8bbb7" IssueInstant="2012-07-17T14:14:12.143Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:company:sso:idp</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</saml2p:StatusCode>
<saml2p:StatusMessage>Message did not meet security requirements</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:ArtifactResponse>
</soap11:Body>
</soap11:Envelope>
In the SP log, it says:
<13>Jul 17 10:13:38 CMSMACHINE01 [apache-error]: [Tue Jul 17 10:13:38 2012] [error] [client 172.17.87.25] client denied by server configuration: D:/Packages/Apache2.2/htdocs/favicon.ico
<-5>[shibd] ERROR [[1]] OpenSAML.SOAPClient - SOAP client detected a SAML error: (urn:oasis:names:tc:SAML:2.0:status:Responder) (Message did not meet security requirements)
<-5>[apache-shibd] ERROR [[9888] shib_handler] Shibboleth.Listener - remoted message returned an error: Identity provider returned a SAML error in response to artifact.
<-5>[apache-shibd] ERROR [[9888] shib_handler] Shibboleth.Apache - Identity provider returned a SAML error in response to artifact.
<-5>[apache-shibd] ERROR [[9888] shib_handler] Shibboleth.ServiceProvider - sendError could not process error template ()
<13>Jul 17 10:14:12 CMSMACHINE01 [apache-error]: [Tue Jul 17 10:14:12 2012] [error] [client 172.17.87.25] Identity provider returned a SAML error in response to artifact., referer: https://sso.dev.company.com/idp/Authn/BB
Please help. I have a feeling there is a security policy setting somewhere, but I can't find any documentation on it nor any setting in the configuration files.