Credential failed name check.
Johan.Akerstrom at skill.no
Thu Aug 20 10:41:14 EDT 2015
Sent from my iPhone
> On 20 Aug 2015, at 16:26, Ian Young <ian at iay.org.uk> wrote:
>> On 20 Aug 2015, at 15:11, Johan Åkerstrøm <Johan.Akerstrom at skill.no> wrote:
>> I get your point. But this is the metadata generated from the SP. It is the SP generating the wrong Subject Name. So. Guess I have to go down the PKIX route meanwhile.
> Not necessarily. If the generated metadata is incorrect, you can simply correct it.
OK, but what is wrong here is the certificate. There is only one cert in the mix. The one cert which is in the metadata. That is the one which is wrong. There is no other certificate to swap to. The SP is generating an erroneous cert and that's what ends up in the metadata.
>> I understand it is a bad idea, but I don't have control over the cert which the SP is signing with. The SP is signing with a cert with the inhjected "saml." part. There is a feature of uploading a JKS or PKCS12 into the SP. While talking to the vendors support team they themselves have never used it and it doesn't work.
> If you replace the wrong cert in the metadata the SP is generating with the cert it is actually signing with, then PKIX evaluation will never occur at the IdP.
> You're trying to correct the symptom (failed PKIX evaluation based on the wrong ID) where you should be correcting the cause (the cert in metadata is the wrong cert).
See above there is no alternative cert to swap to. It is actually signing with the cert with the wrong Subject name.
> -- Ian
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users