Shibboleth - certificate name was not acceptable

Question

I am using my SP to authenticate with TestShib IDP. After logging in on the IDP, on the SP Side I get this error

Unable to establish security of incoming assertion.

From the shibd.log I see

2016-11-03 11:30:34 ERROR XMLTooling.TrustEngine.PKIX [4]: certificate name was not acceptable
2016-11-03 11:30:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [4]: unable to verify message signature with supplied trust engine
2016-11-03 11:30:34 WARN Shibboleth.SSO.SAML2 [4]: detected a problem with assertion: Unable to establish security of incoming assertion.

Please advise.

Update-

More from shibd.log

2016-11-03 11:10:55 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.3
2016-11-03 11:10:55 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.4
2016-11-03 11:10:55 INFO Shibboleth.Application : building AttributeFilter of type XML...
 2016-11-03 11:10:55 INFO Shibboleth.AttributeFilter : reload thread started...running when signaled
 2016-11-03 11:10:55 INFO Shibboleth.AttributeFilter : loaded XML resource (/opt/shibboleth-sp/etc/shibboleth/attribute-policy.xml)     
2016-11-03 11:10:55 INFO Shibboleth.Application : building AttributeResolver of type Query...
2016-11-03 11:10:55 INFO Shibboleth.Application : building CredentialResolver of type File...
2016-11-03 11:10:55 INFO XMLTooling.SecurityHelper : loading private key from file (/opt/shibboleth-sp/etc/shibboleth/sp-key.pem)
2016-11-03 11:10:55 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/opt/shibboleth-sp/etc/shibboleth/sp-cert.pem)
2016-11-03 11:10:55 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2016-11-03 11:10:55 INFO Shibboleth.Listener : listener service starting
2016-11-03 11:11:34 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate name was not acceptable
2016-11-03 11:11:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]: unable to verify message signature with supplied trust engine
2016-11-03 11:11:34 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Unable to establish security of incoming assertion.
2016-11-03 11:25:55 INFO XMLTooling.StorageService : purged 3 expired record(s) from storage
2016-11-03 11:30:34 ERROR XMLTooling.TrustEngine.PKIX [4]: certificate name was not acceptable
2016-11-03 11:30:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [4]: unable to verify message signature with supplied trust engine
2016-11-03 11:30:34 WARN Shibboleth.SSO.SAML2 [4]: detected a problem with assertion: Unable to establish security of incoming assertion.
2016-11-03 11:40:55 INFO XMLTooling.StorageService : purged 3 expired record(s) from storage

From shibd_warn.log

2016-11-03 10:50:10 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Message was signed, but signature could not be verified.
2016-11-03 11:11:34 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate name was not acceptable
2016-11-03 11:11:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]: unable to verify message signature with supplied trust engine
2016-11-03 11:11:34 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Unable to establish security of incoming assertion.
2016-11-03 11:30:34 ERROR XMLTooling.TrustEngine.PKIX [4]: certificate name was not acceptable
2016-11-03 11:30:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [4]: unable to verify message signature with supplied trust engine
2016-11-03 11:30:34 WARN Shibboleth.SSO.SAML2 [4]: detected a problem with assertion: Unable to establish security of incoming assertion.

Where did you provided certificate name? – Akshay Nov 04 '16 at 05:10 — Akshay, Nov 04 '16 at 05:10
@Akshay certificate name is provided in the shibboleth2.xml – SteeleDev Nov 07 '16 at 15:05 — SteeleDev, Nov 07 '16 at 15:05

score 0 · Answer 1 · answered Nov 04 '16 at 10:40

0

You should NOT use PKIX, but explicit Trust.

The error happens when your SP tries to verify the signature ( thus the authenticity ) of the SAML Assertion that comes from the testshib IDP. You have configured your SP to validate signatures using the PKIX TrustEngine and the does not match any of the

subject DN in reverse/LDAP comma-separated syntax, with or without spaces (see RFC 2253)
subject CN
any DNS and URL subjectAltNames

of your certificate.

Using an ExplicitKey TrustEngine is much simpler and the recommended approach. That would mean that the SP will get to know about the signing certificate of the TestShib IdP from the metadata directly.

answered Nov 04 '16 at 10:40

Yiannis Kakavas

597
3
9

How do i switch from PKIX to Explicit Trust Engine ? Where do I make this change ? – SteeleDev Nov 04 '16 at 16:58
If you haven't changed it yourself, you use the default configuration which means that you have a chained trust engine, first explicit and the PKIX. Since it reaches the PKIX and fails I assume that it can't match the certificate of the idp in the metadata. You will have to show us relevant entries from your shibd/ shibd_warn logs before the ones you already shared – Yiannis Kakavas Nov 04 '16 at 17:08
I added in shibboleth2.xml and I get this error. 2016-11-04 14:29:58 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]: unable to verify message signature with supplied trust engine – SteeleDev Nov 04 '16 at 18:31
it could be that the SP can't read the key from the metadata file. I assume you have followed the examples from testshib and have a Metadataprovider that loads the testshib metadata xml in your Shibboleth2.xml? – Yiannis Kakavas Nov 04 '16 at 18:47
Also this old message http://shibboleth.1660669.n2.nabble.com/Failure-to-validate-Response-Signature-td7582247i20.html describes a very similar problem so please check the xml namespaces in the idp and sp metadata – Yiannis Kakavas Nov 04 '16 at 18:49
as per example my xml tags follows this high level structure – SteeleDev Nov 07 '16 at 14:42

Shibboleth - certificate name was not acceptable

1 Answers1