No, but that metadata is invalid. There's a bogus certificate blob sitting
in empty space and an empty X509Certificate element after it. That's the
one triggering the error I would guess.
And the order of the certs is wrong. Shibboleth does not understand
multiple certificates inside a single KeyDescriptor, but if you do it, it
will only look at the first one. In this case, that's a CA, not the peer's
key.
-- Scott
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
i've fixed it but now i get a different error in the log:
2012-03-16 13:29:25 DEBUG OpenSAML.MessageDecoder.SAML1 [2]: extracting
issuer from SAML 1.x Response
2012-03-16 13:29:25 DEBUG OpenSAML.MessageDecoder.SAML1 [2]: response
from (https://idpcrl.crs.lombardia.it//scauth)
2012-03-16 13:29:25 DEBUG OpenSAML.MessageDecoder.SAML1 [2]: searching
metadata for response issuer...
2012-03-16 13:29:25 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]:
evaluating message flow policy (replay checking on, expiration 60)
2012-03-16 13:29:25 DEBUG XMLTooling.StorageService [2]: inserted record
(_f0fcc07abb9ae502ddcfd20bfd3a447e) in context (MessageFlow)
2012-03-16 13:29:25 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]:
validating signature profile
2012-03-16 13:29:25 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate
name was not acceptable
2012-03-16 13:29:25 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]:
unable to verify message signature with supplied trust engine
am i still missing something?
mhhhh
Thanks agan
Francesco
The metadata's obviously still wrong. All the documentation on how trust
engines work is in the wiki. That's all the help I can give you on what
has to be in the metadata.
I don't know what trust engine you're trying to make work. ExplicitKey
works one way, and PKIX works another.