Shibboleth opensaml – FatalProfileException – Message was signed, but signature could not be verified

Client asked to update our cert to their adfs. Couldn’t find a good way to troubleshoot this using google so started to examine all the configuration files in /etc/shibboleth.

Led me to federationmetadata.xml.

Found section keydescriptor that looked like a certificate so I added a new section with the new cert.

<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MII......hidden......</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>

Leave a Reply