IdP v4 SLO issues when wilcard certificates for websites
cantor.2 at osu.edu
Mon Aug 17 16:39:26 UTC 2020
It's going to be very hard to really get to the root issues with this without a really complete stack trace. Fundamentally, the way it's supposed to work is that the name-checking should be happening in the HTTP client step, but it should be allowing the actual certificate to get evaluated by the trust engine via metadata.
But that isn't really how SOAP is meant to work now, the intent is to use port 443, ignore that cert, and use message signing.
The name check here sure seems to be failing in the trust layer and that doesn't really make sense. The trust layer should really be operating against a signed message and the cert name won't matter there (PKIX won't even run).
Perhaps the real problem here is in fact a trust error. If the right cert isn't in the metadata and more to the point if the SP is not up to date and not signing its response, it's not going to work.
More information about the users