[Shib-Users] Trust of untrusted credential could not be established via PKIX validation - Authentication via client certificate failed

40 views

Skip to first unread message

Miotke,Randy

unread,

Apr 2, 2010, 12:03:09 PM4/2/10

to shibbole...@internet2.edu

Hello,

Our IdP is logging an error (09:13:32.298 - ERROR [org.opensaml.ws.security.provider.ClientCertAuthRule:151] - Authentication via client certificate failed for context presenter entity ID) when this SP sends the request noted below. It looks like the credential presented isn't trusted. Is the certificate being presented different from what is in the metadata? Can someone please help decipher this and suggest a possible cause?

Thanks very much.

Randy

---------------------------------------------------------
Randy Miotke
Academic Computing and Networking Services
Colorado State University

09:13:32.297 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://sp.eblib.com/shibboleth
09:13:32.297 - DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:630] - Write lock over cache acquired
09:13:32.297 - DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:633] - Added new PKIX info to entity cache with key: [https://sp.eblib.com/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:1.1:protocol,SIGNING]
09:13:32.297 - DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:636] - Write lock over cache released
09:13:32.297 - DEBUG [org.opensaml.xml.security.x509.PKIXX509CredentialTrustEngine:156] - Beginning PKIX validation using trusted validation information
09:13:32.297 - DEBUG [org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator:219] - Supplied trusted names are null or empty, skipping name evaluation
09:13:32.298 - DEBUG [org.opensaml.xml.security.x509.PKIXX509CredentialTrustEngine:174] - Trust of untrusted credential could not be established via PKIX validation
09:13:32.298 - ERROR [org.opensaml.ws.security.provider.ClientCertAuthRule:151] - Authentication via client certificate failed for context presenter entity ID https://sp.eblib.com/shibboleth
09:13:32.298 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:171] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Client certificate authentication failed for context presenter entity ID

Scott Cantor

unread,

Apr 2, 2010, 12:32:16 PM4/2/10

to shibbole...@internet2.edu

> Our IdP is logging an error (09:13:32.298 - ERROR
> [org.opensaml.ws.security.provider.ClientCertAuthRule:151] -
Authentication
> via client certificate failed for context presenter entity ID) when this
SP
> sends the request noted below. It looks like the credential presented
isn't
> trusted. Is the certificate being presented different from what is in the
> metadata? Can someone please help decipher this and suggest a possible
> cause?

Assuming both trust engines are active as they usually are, it means neither
trust engine is able to validate it, so it's not in the metadata or subject
to PKIX trust.

-- Scott

Reply all

Reply to author

Forward

0 new messages