Shibboleth opensaml – FatalProfileException – Message was signed, but signature could not be verified

Client asked to update our cert to their adfs. Couldn’t find a good way to troubleshoot this using google so started to examine all the configuration files in /etc/shibboleth.

Led me to federationmetadata.xml.

Found section keydescriptor that looked like a certificate so I added a new section with the new cert.

<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MII......hidden......</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>

SSL/TLS Strong Encryption: How-To

https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

# "Modern" configuration, defined by the Mozilla Foundation's SSL Configuration
# Generator as of August 2016. This tool is available at
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
# Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
# require OpenSSL 1.1.0, which as of this writing was in pre-release.
SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression      off
SSLSessionTickets   off