Given that it's happening on an attribute query it's much more likely that either the cert in the Id P metadata is simply wrong or it changed recently and your SP hasn't pulled in the latest copy of the metadata. IDPSSODescriptor and Attribute Authority Descriptor have the same keys. Just to make sure: the message "SSL certificate problem, verify that the CA cert is OK" doe not mean what is says, because there is no verification of the TLS server certificate. Details: IDPSSODescriptor and Attribute Authority Descriptor have the same keys. It's only the Attribute Authority Descriptor that comes in to play. The most critical message is the one that's not from Open SSL and is explicit about the cause being the trust engine failing. XMLTooling.libcurl [2]: Connected to testshib.(1.131) port 443 XMLTooling.libcurl [2]: SSLv3, TLS handshake, Client hello (1): XMLTooling.libcurl [2]: SSLv3, TLS handshake, Server hello (2): XMLTooling.libcurl [2]: SSLv3, TLS handshake, CERT (11): XMLTooling. Inline [2]: resolving ds: X509Certificate XMLTooling. The log says, that it si using the default-WP configuration, because of: "Metadata document contained an Entity Descriptor with the ID https://testsp1.portalverbund.at/shibboleth, but it was no longer valid" I am logging the Id P on DEBUG level.

- Rainer cert that has no root cert know to the Id P? -- Scott I don't think the latter two would result in that message, but somebody like Brent or Chad would know better.

I don't think the latter two would result in that message, but somebody like Brent or Chad would know better. I think it usually means the server end is not asking for client TLS and/or isn't getting it across to the Java application side.

In this paragraph the official tutorial explain how to generate the Discovery Doc with the Endpoints Tool.

I had several problem with this phase, because the instructions are for a Maven project and Eclipse.

I did this update by myself (and a lot of Googling). If don’t know how to implement it, please refer to my tutorial “Deploying a Google Endpoint with Google Cloud Platform“. I’ll lead you across the official tutorial, describing where I found a problem and what was my solution.

You can to download the i OS project from my Git Hub.

My interpretation of this message is that the Id P's TLS certificats root-cert cannot be validated: Shibboleth. Query [2]: exception during SAML query to https://testshib.portalverbund.at/idp/profile/SAML2/SOAP/Attribute Query: CURLSOAPTransport failed while contacting SOAP endpoint (https://testshib.portalverbund.at/idp/profile/SAML2/SOAP/Attribute Query): SSL certificate problem, verify that the CA cert is OK. Details: s: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed XMLTooling.libcurl [2]: Closing connection #0 Shibboleth. Query [2]: exception during SAML query to https://testshib.portalverbund.at/idp/profile/SAML2/SOAP/Attribute Query: CURLSOAPTransport failed while contacting SOAP endpoint (https://testshib.portalverbund.at/idp/profile/SAML2/SOAP/Attribute Query): SSL certificate problem, verify that the CA cert is OK. Query [2]: unable to obtain a SAML response from attribute authority I is still hard for me to understand that the coming from Open SSL which we don't control. If not: there is always the option to interpret the Open SSL message and warn the admin.

Details: error:14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Is this assumption correct? CURL [2]: supplied Trust Engine failed to validate SSL/TLS server certificate XMLTooling.libcurl [2]: SSLv3, TLS alert, Server hello (2): XMLTooling.libcurl [2]: SSL certificate problem, verify that the CA cert is OK. Details: s: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Shibboleth. Skill requirements (Wiki: Native SPSkills) ask just for basic PKI-knowledge. I replaced the AA certificate in the metadata with the Id P's TLS cert, and the SOAP-request can be posted now.

also contains an exception: INFO [org.opensaml.common.binding.security. SAMLProtocol Message XMLSignature Security Policy Rule:99] - SAML protocol message was not signed, skipping XML signature processing INFO [org.