Credential failed name check.

Ian Young ian at
Thu Aug 20 10:25:52 EDT 2015

> On 20 Aug 2015, at 15:11, Johan Åkerstrøm <Johan.Akerstrom at> wrote:
> I get your point. But this is the metadata generated from the SP. It is the SP generating the wrong Subject Name. So. Guess I have to go down the PKIX route meanwhile.

Not necessarily. If the generated metadata is incorrect, you can simply correct it.

> I understand it is a bad idea, but I don't have control over the cert which the SP is signing with. The SP is signing with a cert with the inhjected "saml." part. There is a feature of uploading a JKS or PKCS12 into the SP. While talking to the vendors support team they themselves have never used it and it doesn't work.

If you replace the wrong cert in the metadata the SP is generating with the cert it is actually signing with, then PKIX evaluation will never occur at the IdP.

You're trying to correct the symptom (failed PKIX evaluation based on the wrong ID) where you should be correcting the cause (the cert in metadata is the wrong cert).

    -- Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5250 bytes
Desc: not available
URL: <>

More information about the users mailing list