IdP v4 SLO issues when wilcard certificates for websites

Lipscomb, Gary glipscomb at csu.edu.au
Fri Aug 14 05:37:27 UTC 2020 

Hi List,

RHEL 7
Tomcat 9
OpenJDK 11


I’m in the process of upgrading to IdP v4 (4.0.1) and have come across an issue with SLO which was not present in v3.4.7

When we try to SLO and the web certificate for that site uses a wildcard certificate (e.g. *.csu.edu.au) SLO fails with the following error

2020-08-14 15:09:53,138 - 10.0.2.2 - ERROR [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:297] - Credential failed name check: [subjectName='CN=*.csu.edu.au,OU=DIT,O=Charles Sturt University,L=North Wagga,ST=New South Wales,C=AU']

2020-08-14 15:09:53,311 - 10.0.2.2 - WARN [net.shibboleth.idp.saml.saml2.profile.impl.SOAPLogoutRequest:298] - Profile Action SOAPLogoutRequest: SOAP logout request failed
org.opensaml.soap.common.SOAPException: Problem handling SOAP message exchange with: https://onlinedevel.csu.edu.au/Shibboleth.sso/SLO/SOAP
        at org.opensaml.soap.client.http.AbstractPipelineHttpSOAPClient.send(AbstractPipelineHttpSOAPClient.java:244)
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated
        at org.opensaml.messaging.handler.impl.CheckMandatoryAuthentication.doInvoke(CheckMandatoryAuthentication.java:70)

These sites are behind a load balancer and the wild card certificate is used extensively.
Is there a setting I’ve missed in the upgrade process?

Regards

Gary

Gary Lipscomb
Technical Officer, Systems(Infrastructure) | Infrastructure & Client Services | Division of Information Technology
Charles Sturt University
Panorama Avenue
Bathurst NSW 2795




|   ALBURY-WODONGA   |   BATHURST   |   BRISBANE   |   CANBERRA   |   DUBBO   |   GOULBURN   |   MELBOURNE   |   ORANGE   |   PORT MACQUARIE   |   SYDNEY   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.

More information about the users mailing list