I'm having trouble setting up a saml2 federation. We've got it to work
against the SP's dev environment, but not against the production env.
This is what I've done:

1. Importing the metadata from the SP into the IDP

Had to remove the #default from
<InclusiveNamespaces PrefixList="#default md saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
because NAM would not validate it.
Also had to remove index="2" isDefault="false" from
<md:SingleLogoutService Binding="urnasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp.domain.no/Login/rogaland.ashx?logout=rogaland" index="2" isDefault="false" />
because NAM would not validate it.

I've done that in the config to the sp's dev environment. That worked
just fine.

2. Imported the root ca for the SP (and the intermediate cert)
3. I've also imported the server certificate, just to test it.

The is no encryption, only signing.

The SAML2 auth req seems ok compared to the dev env:


<samlp:AuthnRequest ID="_4ebbe80e-275f-42d6-8e3a-1439ff69bcec"
AssertionConsumerServiceURL="https://sp.domain.no/Login/rogaland.ashx?auth=rogaland&amp;binding=urn%3aoasi s%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-POST"

<saml:Issuer xmlns:saml="urnasis:names:tc:SAML:2.0:assertion">https://sp.domain.no/</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" />


I've enabled logging (debug), but it's not telling me anything useful:


Warning: Invalid resource key: Request was from an untrusted provider. No prefix!
Warning: Invalid resource key: Request was from an untrusted provider. No prefix!
<amLogEntry> 2013-04-08T10:44:38Z WARNING NIDS SAML2: Exception message: "Request was from an untrusted provider"
y, Line: 1578, Method: <init>
y, Line: 2119, Method: <init>
y, Line: 2473, Method: <init>
y, Line: 529, Method: <init>
y, Line: 1217, Method: getRequest
y, Line: 539, Method: handleInBoundMessage
y, Line: 806, Method: processSSOEndpoint
y, Line: 2224, Method: A
y, Line: 3275, Method: handleRequest
y, Line: 3451, Method: handleRequest
y, Line: 2459, Method: myDoGet
y, Line: 2679, Method: doGet
HttpServlet.java, Line: 627, Method: service
HttpServlet.java, Line: 729, Method: service
ApplicationFilterChain.java, Line: 269, Method: internalDoFilter
ApplicationFilterChain.java, Line: 188, Method: doFilter
StandardWrapperValve.java, Line: 213, Method: invoke
StandardContextValve.java, Line: 172, Method: invoke
StandardHostValve.java, Line: 127, Method: invoke
ErrorReportValve.java, Line: 117, Method: invoke
StandardEngineValve.java, Line: 108, Method: invoke
CoyoteAdapter.java, Line: 174, Method: service
Http11Processor.java, Line: 879, Method: process
Http11BaseProtocol.java, Line: 665, Method: processConnection
PoolTcpEndpoint.java, Line: 528, Method: processSocket
LeaderFollowerWorkerThread.java, Line: 81, Method: runIt
ThreadPool.java, Line: 689, Method: run
Thread.java, Line: 662, Method: run

Warning: Invalid resource key: Request was from an untrusted provider. No prefix!
Warning: Invalid resource key: Request was from an untrusted provider. No prefix!


Any suggestions? Could it be a cert and signing problem? I'm guessing it
has something to do with the SP...


fsjovatsen's Profile: https://forums.netiq.com/member.php?userid=549
View this thread: https://forums.netiq.com/showthread.php?t=47495