Credential failed name check
Nate Klingenstein
ndk at signet.id
Tue Nov 20 17:08:47 EST 2018
Marco,
Assuming you're using the default signature validation settings, the log means two things:
1) The key in the SP's metadata does not match the key the SP is using to sign messages, or there would be no attempt at PKIX.
2) The certificate in the SP's metadata does not pass PKIX validation for the reasons listed in the log.
Long story short, you'll need to work with the SP to make the key they're using to sign messages match the one in their metadata.
Hope this helps,
Nate.
-----Original message-----
> From: Marco Pirovano
> Sent: Tuesday, November 20 2018, 7:14 am
> To: users at shibboleth.net
> Subject: Credential failed name check
>
> Hello,
>
> I'm adding a new SP to our IdP v3.3.3.
>
> When I try to access the resource I'm getting this error:
>
> The request cannot be fulfilled because the message received does not meet the security requirements of the login service.
>
> I have enabled the DEBUG log and found these errors:
>
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:253] - Checking trusted names against credential: [subjectName='CN=Gartner SHA2,OU=STG,O=Gartner,L=Stamford,ST=CT,C=US']
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:255] - Trusted names being evaluated are: [http://www.gartner.com]
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:386] - Processing subject alt names
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:392] - Extracted subject alt names from certificate: []
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:317] - Processing subject DN common name
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:326] - Extracted common name from certificate: Gartner SHA2
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:347] - Processing subject DN
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:351] - Extracted X500Principal from certificate: CN=Gartner SHA2,OU=STG,O=Gartner,L=Stamford,ST=CT,C=US
> DEBUG [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:368] - Trusted name was not a DN or could not be parsed: http://www.gartner.com
> ERROR [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:301] - Credential failed name check: [subjectName='CN=Gartner SHA2,OU=STG,O=Gartner,L=Stamford,ST=CT,C=US']
> DEBUG [org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine:226] - Evaluation of credential against trusted names failed. Aborting PKIX validation
> DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:205] - Failed to establish trust of KeyInfo-derived credential
> DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:216] - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
> DEBUG [org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine:166] - PKIX validation of signature failed, unable to resolve valid and trusted signing key
>
> Do you have any suggestions about the problem ?
>
> Thank you very much.
>
> Best Regards.
> Marco
> --
> Marco Pirovano
> Security & Network Competence Centre
> Information & Communication Technology
> Universita' Bocconi
> via Gobbi, 5 - 20136 Milano
> Tel. +39 02 5836.3173
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
More information about the users
mailing list