Forbidden error: asn1: structure error: tags don't match about saml HOT 4 CLOSED

This was because of the x509.ParsePKCS1PrivateKey call in line https://github.com/crewjam/saml/blob/master/service_provider.go#L435
My service provider's key needed to be converted to rsa privateKey. I'm not sure what the difference between the earlier and newer key was, because even the older one was generated using openssl rsa command

from saml.

This is almost certainly a regression due to ditching xmlsec. Next steps here, for me or you or anyone who wants to help, is to try and generate some failing test cases with from shibboleth.

from saml.

@crewjam I don't have much (actually any) knowledge about RSA keys generation.
But you're right about switching from xmlsec causing this
I first generated a key certificate pair for my service provider using this command
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
I used the privateKey.key for shibboleth IdP, and that threw the Forbidden error.
Then I generated a new key from my original one using this command:
openssl rsa -in privateKey.key -out server_new.key
The new key server_new.key worked, I no longer get that asn1 error. Although I'm still unable to configure access control. But that seems to be some certificate issue.

Anyway I just thought I'd share what I did as a test case possibly...or we can document this that the private key should begin with
-----BEGIN RSA PRIVATE KEY-----
and not
-----BEGIN PRIVATE KEY-----

If you or anyone can help me in getting to know why this worked that'll be great.

I'm going to do my research later, but I need to figure out and get my current connection working first

from saml.

The change in [08dd8e9] makes us more type safe w/r/t to keys and stuff. Although your code may need to change, it might make the trouble you are having more obvious. HTH.

from saml.