Credential failed name check.
Cantor, Scott
cantor.2 at osu.edu
Wed Aug 19 10:47:44 EDT 2015
On 8/19/15, 10:34 AM, "users on behalf of Johan Åkerstrøm" <users-bounces at shibboleth.net on behalf of Johan.Akerstrom at skill.no> wrote:
>I'm getting this error.
>
>2015-08-19 16:12:47,308 - WARN [org.apache.xml.security.signature.XMLSignature:760] - Signature verification failed.
>2015-08-19 16:12:47,312 - ERROR [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:300] - Credential failed name check: [subjectName='OU=oiosaml-sp,CN=ht
>tps://saml.site.domain.com']
>
>EntityID of the RP is: https://saml.site.domain.com but the signing cert has the following subject: 'OU=oiosaml-sp,CN=https://saml.site.domain.com' is this mismatch what is causing the error?
I doubt it. There's very little context here, and there has to be far more in the log than just that. Name checking on a signature use case can only be relevant if it's already failed the explicit key check, so normally I would assume that the metadata here is wrong, and that's the more fundamental issue.
Assuming that was intentional, the PKIX engine would then do the name check, and I don't know exactly what it checks against, Brent would know. I thought we did automatic extraction of the CN of the subject, and the entityID ought to be an implicitly trusted key name, so it seems like that should pass. But it shouldn't ever get that far anyway, and even if the name check worked, there would have to be a KeyAuthority extension in the metadata for path validation to pass.
-- Scott
More information about the users
mailing list