unable to validate signature, no credentials available from peer

Harold Daniel hdaniel at academicworks.com
Wed Mar 29 10:32:31 EDT 2017


Hello,

I’m setting up an SP test site with a customer’s IdP and we’re getting the "Message was signed, but signature could not be verified.” error.  I’m hoping someone can help me understand where the mismatch may be.  

According to the troubleshooting doc for this error, I should check the following three things:

> 1. The certificate in the metadata is different from the one configured in relying-party.xml, and hence, the one in the message. You should change them so they match.


I have verified the certificate in the metadata is the same as what we received in the <ds:X509Certificate> value of the assertion.  Is there something else I should check for being out of alignment here?

> 2. If PKIX(CN matching with a signed root) is being used, the CN of the certificate used to sign the message is not the same as the CN expected by the KeyName of that provider's metadata.


According to the log:

2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: adding to list of trusted names (https://shib3.abcd.edu/idp/shibboleth)
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: certificate subject: CN=shib3.abcd.edu,OU=shib3.abcd.edu,O=shib3.abcd.edu,L=El Paso,ST=Texas,C=US
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: unable to match DN, trying TLS subjectAltName match

The CN value is "CN=shib3.abcd.edu <http://shib3.abcd.edu/>”.  Shouldn’t that match "https://shib3.abcd.edu/idp/shibboleth <https://shib3.abcd.edu/idp/shibboleth>” or am I misunderstanding?


> 3. The IdP is using the wrong entityID and mistakenly trying to spoof another IdP.


The metadata entityID matches what we have configured on the SP side and what we received in the <saml2:Issuer> assertion value.


Any guidance that would help point me in the right direction is appreciated.  This is what we are getting in our log:

2017-03-27 19:30:06 DEBUG XMLTooling.CredentialCriteria [1]: keys didn't match
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: unable to validate signature, no credentials available from peer
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: validating signature using certificate from within the signature
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: signature verified with key inside signature, attempting certificate validation...
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: checking that the certificate name is acceptable
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: adding to list of trusted names (https://shib3.abcd.edu/idp/shibboleth)
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: certificate subject: CN=shib3.abcd.edu,OU=shib3.abcd.edu,O=shib3.abcd.edu,L=El Paso,ST=Texas,C=US
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: unable to match DN, trying TLS subjectAltName match
2017-03-27 19:30:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: unable to match subjectAltName, trying TLS CN match
2017-03-27 19:30:06 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate name was not acceptable
2017-03-27 19:30:06 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine
2017-03-27 19:30:06 WARN Shibboleth.SSO.SAML2 [1]: detected a problem with assertion: Message was signed, but signature could not be verified.


Thanks,

-Harold



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170329/14b90fdf/attachment.html>


More information about the users mailing list