certificate name was not acceptable

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

certificate name was not acceptable

Scott Alexander
HI,

I have a working setup. IDP and numerous SPs. It works fine

I cloned the IDP and created a new SP. I want the new IDP to have a
different backed to auth users.

I edited the IDP. I'm able to login successfully but the SP in it's logs
has

in browser I see Message was signed, but signature could not be
verified.


cat /var/log/shibboleth/shibd_warn.log
2020-12-28 15:31:38 WARN Shibboleth.Config : DEPRECATED: legacy 2.0
configuration, support will be removed from a future version of the
software
2020-12-28 15:31:39 WARN Shibboleth.Application : insecure cookieProps
setting, set to "https" for SSL/TLS-only usage
2020-12-28 15:31:39 WARN Shibboleth.Application : handlerSSL should be
enabled for SSL/TLS-enabled web sites
2020-12-28 15:31:39 WARN OpenSAML.MetadataProvider.XML : DEPRECATED:
file attribute should be replaced with path to specify local resource
2020-12-28 15:32:20 ERROR XMLTooling.TrustEngine.PKIX [4] [default]:
certificate name was not acceptable
2020-12-28 15:32:20 WARN OpenSAML.SecurityPolicyRule.XMLSigning [4]
[default]: unable to verify message signature with supplied trust engine
2020-12-28 15:32:20 WARN Shibboleth.SSO.SAML2 [4] [default]: detected a
problem with assertion: Message was signed, but signature could not be
verified.
2020-12-28 15:32:20 WARN Shibboleth.SSO.SAML2 [4] [default]: error
processing incoming assertion: Message was signed, but signature could
not be verified.

I've checked metadata, certs, everything. Something must still be wrong.

Anyone had a similar problem and or ideas how to find what could be
wrong.

Terveisin/Regards

Scott Alexander
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: certificate name was not acceptable

Cantor, Scott E.
The SP has metadata for the IdP with the wrong certificate in it or your IdP isn't using the one that's in that metadata. When two sides don't agree there's no way to know which is wrong, only that one is.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: certificate name was not acceptable

Scott Alexander
On 29.12.2020 15:48, Cantor, Scott wrote:
> The SP has metadata for the IdP with the wrong certificate in it or
> your IdP isn't using the one that's in that metadata. When two sides
> don't agree there's no way to know which is wrong, only that one is.
>
> -- Scott

Hi

Yes it was the shibboleth-idp/credentials/shibTrSamlKey.pem and
shibTrSamlCert.pem files still had key and crt file from cloned IDP
server.
After I changed them then it started to work fine.

Scott A
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]