I am trying to use a Shibboleth v3 IDP to so SAML2 authentication for OSP. I am getting the message below which leads to eventual more TRACE and WARN level messages.
[OIDP] Time: 2015-09-12T22:57:43.676-0500 Level: INFO Java Execution: Class: com.novell.oidp.saml2.protocol.SAML2Type Method: validate Line Number: -1 Thread: http-bio-443-exec-4 Message: Validation failure on message from https://****.****.edu/idp/shibboleth : An improperly formatted SAML2 message was received. LocalizableLoggableMessage Code: com.novell.oidp.saml2.protocol.SAML2Type.validate() [-1] Thread: http-bio-443-exec-4 Correlation Id: 2e2283c3-19db-495e-957a-2390622c8501 Text: Digital signature is required
I know that the IDP is setup properly, and I know that OSP (IDM 4.5.1 with OSP Hot Fix 2) is likely setup properly. I can use my Shibboleth v2 IDP (which is still around for troubleshooting if SPs are having a problem with v2 vs v3) which is using the same certs/keys and it is verifying fine. Also the SAML2 message of the v3 IDP verifies when using https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool. The SAML messages look nearly identical between v2 and v3, except the ordering for v2 has the SAML Status block before the signature block, while v3 has the Status block after the Signature block.
I got an official response from my SR. "IDM 4.5 RBPM only supports SAML authentication through NAM at this time." and "SAML authentication through other means beyond Access Manager is not considered a defect with IDM 4.5 RBPM, as it was not designed to do so." They did encourage entering an enhancement request.
This is understandable, and I respect their decision. It is just unfortunate.
After following the documentation (and example at the bottom of the page) for Shib v3 IDP at http://tinyurl.com/jplj962, I was able to get it to work. So, for my relying-party.xml in Shib v3, I added a config block like: