I've gotten a Shibboleth Server Provider (SP) up and running, and I'm using the TestShib Identity Provider (IdP) for testing.
The configuration appears to be all correct, and when I requested my secured directory I was sent to the IdP where I logged in and then was sent back to https://example.org/Shibboleth.sso/SAML2/POST where I am getting a generic error message.
Checking the logs, I am told:
found encrypted assertions, but no CredentialResolver was available
I have rechecked the configuration, and there I have:
<CredentialResolver type="File" key="/etc/shibboleth/sp-key.pem" certificate="/etc/shibboleth/sp-cert.pem"/>
Both of these files are present at those locations.
I've restarted apache and retried, but still get the same error.
I don't know if it makes a difference - but only a subdirectory of the site has been secured - the documentroot is publicly available.
after searching for more information in the Shibboleth mailing list archives and on and on - finally fixed it by completely regenerating the SSL certificate and updating the IdP on the TestShib site.
must have corrupted the old certificate somehow