Credential failed name check.

[Cantor, Scott]

On 8/20/15, 8:32 AM, "users on behalf of Johan Åkerstrøm" <users-bounces at shibboleth.net on behalf of Johan.Akerstrom at skill.no> wrote:

>Guys, sorry for the confusion here, I messed up a bit.

That explains that part, but the point remains, your metadata's wrong. If you put the right key into the metadata for the SP, it will work regardless, so just do that and you're done.

Otherwise you're using the PKIX code, and you don't want to do that.

>I.e the EntityID does NOT have the "saml." Part of the URL. So the SP's signing certs subject name does NOT match the EntityID. Is this the cause?

No, the wrong key in the metadata is the cause. The effect of that is to fall into PKIX logic. If you want that deliberately, that's a bad idea, but making that work with that particular certificate would require adding the CN of that certificate into the metadata as a ds:KeyName and adding KeyAuthority extension (something Shibboleth invented) to express the CA/root.

> Is it possible to fix with configuration without swapping out the SP's signing certificate?

Yes, put it in the metadata.

-- Scott