Credential failed name check

Marco Pirovano marco.pirovano at unibocconi.it
Tue Nov 20 09:13:45 EST 2018 

Hello,

I'm adding a new SP to our IdP v3.3.3.

When I try to access the resource I'm getting this error:

   The request cannot be fulfilled because the message received does not meet the security requirements of the login service.

I have enabled the DEBUG log and found these errors:

 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:253] - Checking trusted names against credential: [subjectName='CN=Gartner SHA2,OU=STG,O=Gartner,L=Stamford,ST=CT,C=US']
 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:255] - Trusted names being evaluated are: [http://www.gartner.com]
 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:386] - Processing subject alt names
 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:392] - Extracted subject alt names from certificate: []
 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:317] - Processing subject DN common name
 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:326] - Extracted common name from certificate: Gartner SHA2
 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:347] - Processing subject DN
 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:351] - Extracted X500Principal from certificate: CN=Gartner SHA2,OU=STG,O=Gartner,L=Stamford,ST=CT,C=US
 DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:368] - Trusted name was not a DN or could not be parsed: http://www.gartner.com
 ERROR [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:301] - Credential failed name check: [subjectName='CN=Gartner SHA2,OU=STG,O=Gartner,L=Stamford,ST=CT,C=US']
 DEBUG [org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine:226] - Evaluation of credential against trusted names failed. Aborting PKIX validation
 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:205] - Failed to establish trust of KeyInfo-derived credential
 DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:216] - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
 DEBUG [org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine:166] - PKIX validation of signature failed, unable to resolve valid and trusted signing key

Do you have any suggestions about the problem ?

Thank you very much.

Best Regards.
Marco
-- 
Marco Pirovano
Security & Network Competence Centre
Information & Communication Technology
Universita' Bocconi
via Gobbi, 5 - 20136 Milano
Tel. +39 02 5836.3173

More information about the users mailing list