Credential failed name check.

Cantor, Scott cantor.2 at
Thu Aug 20 09:50:20 EDT 2015

On 8/20/15, 8:32 AM, "users on behalf of Johan Åkerstrøm" <users-bounces at on behalf of Johan.Akerstrom at> wrote:

>Guys, sorry for the confusion here, I messed up a bit.

That explains that part, but the point remains, your metadata's wrong. If you put the right key into the metadata for the SP, it will work regardless, so just do that and you're done.

Otherwise you're using the PKIX code, and you don't want to do that.

>I.e the EntityID does NOT have the "saml." Part of the URL. So the SP's signing certs subject name does NOT match the EntityID. Is this the cause?

No, the wrong key in the metadata is the cause. The effect of that is to fall into PKIX logic. If you want that deliberately, that's a bad idea, but making that work with that particular certificate would require adding the CN of that certificate into the metadata as a ds:KeyName and adding KeyAuthority extension (something Shibboleth invented) to express the CA/root.

> Is it possible to fix with configuration without swapping out the SP's signing certificate?

Yes, put it in the metadata.

-- Scott

More information about the users mailing list