Credential failed name check.

Cantor, Scott cantor.2 at
Wed Aug 19 10:47:44 EDT 2015

On 8/19/15, 10:34 AM, "users on behalf of Johan Åkerstrøm" <users-bounces at on behalf of Johan.Akerstrom at> wrote:

>I'm getting this error.
>2015-08-19 16:12:47,308 - WARN [] - Signature verification failed.
>2015-08-19 16:12:47,312 - ERROR [] - Credential failed name check: [subjectName='OU=oiosaml-sp,CN=ht
>EntityID of the RP is: but the signing cert has the following subject: 'OU=oiosaml-sp,CN=' is this mismatch what is causing the error?

I doubt it. There's very little context here, and there has to be far more in the log than just that. Name checking on a signature use case can only be relevant if it's already failed the explicit key check, so normally I would assume that the metadata here is wrong, and that's the more fundamental issue.

Assuming that was intentional, the PKIX engine would then do the name check, and I don't know exactly what it checks against, Brent would know. I thought we did automatic extraction of the CN of the subject, and the entityID ought to be an implicitly trusted key name, so it seems like that should pass. But it shouldn't ever get that far anyway, and even if the name check worked, there would have to be a KeyAuthority extension in the metadata for path validation to pass.

-- Scott

More information about the users mailing list