Anonymous_User Absent Member.
Absent Member.
349 views

SAML artifact cert cn checking with consumer URL


When using SAML 1.0 and 2.0 artifact under NAM3.1 as IDP, I got
following error when performing saml interaction:

<amLogEntry> 2012-11-23T09:26:38Z DEBUG NIDS Application:
Method: URLUtil.validateTLS
Thread: http-10.117.158.35-8443-Processor2
Exception doing SOAP TLS authentication Could not match certificate with
domain name of trusted provider </amLogEntry>

<amLogEntry> 2012-11-23T09:26:38Z DEBUG NIDS SAML1:
Method: SAMLPResponse.encodeErrorResponse
Thread: http-10.117.158.35-8443-Processor2
Saml1 SOAP Response
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
MajorVersion="1" MinorVersion="10"
ResponseID="idOB0cywUwa7IU52dgXTYySEvxOdg"
InResponseTo="sff71a68a84304997c7da18380ee57d553152364c"
Recipient="https://myservice.provider.com:443/sso"
IssueInstant="2012-11-23T09:26:38Z"><samlp:Status><samlp:StatusCode
Value="samlp:Requester"><samlp:StatusCode
Value="samlp:RequestDenied"></samlp:StatusCode><StatusMessage>Invalid or
no signature or bad client
authentication</StatusMessage></samlp:Status></samlp:Response>
</amLogEntry>

<amLogEntry> 2012-11-23T09:26:38Z WARNING NIDS SAML1: Error processing
Artifact from requester https://myservice.provider.com:443/sso: Invalid
or no signature or bad client authentication </amLogEntry>

<amLogEntry> 2012-11-23T09:26:38Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: http-10.117.158.35-8443-Processor2

Retrieval of object from cache session failed using key
43A9AB07D9BE98845B4615571AEE8470. Cache size is 10
</amLogEntry>


The certificate I used in the SP side for is cn=myservice.sp.com, which
is different from my consumer URL https://myservice.provider.com. As
other federation product does not require the certificate used for
mutual ssl match the cert cn name NAM does require this. We have reason
behind that we cannot use the cert with cn=myservice.provider.com. Thus
my question is can NAM disable this cert domain name checking with the
consumer URL domain name?

Thanks.


--
jabbaaa
------------------------------------------------------------------------
jabbaaa's Profile: https://forums.netiq.com/member.php?userid=3423
View this thread: https://forums.netiq.com/showthread.php?t=46298

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: SAML artifact cert cn checking with consumer URL

Have you seen this article?
http://www.novell.com/support/kb/doc.php?id=3813149

Jared
Engineer IV at Novacoast
About Me: http://jaredjennings.org

On 11/30/12 10:34 AM, jabbaaa wrote:
>
> When using SAML 1.0 and 2.0 artifact under NAM3.1 as IDP, I got
> following error when performing saml interaction:
>
> <amLogEntry> 2012-11-23T09:26:38Z DEBUG NIDS Application:
> Method: URLUtil.validateTLS
> Thread: http-10.117.158.35-8443-Processor2
> Exception doing SOAP TLS authentication Could not match certificate with
> domain name of trusted provider </amLogEntry>
>
> <amLogEntry> 2012-11-23T09:26:38Z DEBUG NIDS SAML1:
> Method: SAMLPResponse.encodeErrorResponse
> Thread: http-10.117.158.35-8443-Processor2
> Saml1 SOAP Response
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
> MajorVersion="1" MinorVersion="10"
> ResponseID="idOB0cywUwa7IU52dgXTYySEvxOdg"
> InResponseTo="sff71a68a84304997c7da18380ee57d553152364c"
> Recipient="https://myservice.provider.com:443/sso"
> IssueInstant="2012-11-23T09:26:38Z"><samlp:Status><samlp:StatusCode
> Value="samlp:Requester"><samlp:StatusCode
> Value="samlp:RequestDenied"></samlp:StatusCode><StatusMessage>Invalid or
> no signature or bad client
> authentication</StatusMessage></samlp:Status></samlp:Response>
> </amLogEntry>
>
> <amLogEntry> 2012-11-23T09:26:38Z WARNING NIDS SAML1: Error processing
> Artifact from requester https://myservice.provider.com:443/sso: Invalid
> or no signature or bad client authentication </amLogEntry>
>
> <amLogEntry> 2012-11-23T09:26:38Z DEBUG NIDS Application:
> Method: CacheMap.A
> Thread: http-10.117.158.35-8443-Processor2
>
> Retrieval of object from cache session failed using key
> 43A9AB07D9BE98845B4615571AEE8470. Cache size is 10
> </amLogEntry>
>
>
> The certificate I used in the SP side for is cn=myservice.sp.com, which
> is different from my consumer URL https://myservice.provider.com. As
> other federation product does not require the certificate used for
> mutual ssl match the cert cn name NAM does require this. We have reason
> behind that we cannot use the cert with cn=myservice.provider.com. Thus
> my question is can NAM disable this cert domain name checking with the
> consumer URL domain name?
>
> Thanks.
>
>

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.