Troubleshooting the error “The signing certificate does not match what’s defined in the entity metadata”
I was working on federation with IDP as custom solution and SP as fedlet. The SAML authentication request and SAML response was generated successfully. However while validating the SAML response by Fedlet, it was throwing the below error in the browser.
Upon looking at libSAML2 debug file I could see 2 exceptions in the logs
ERROR: KeyUtil.getVerificationCert: No signing KeyDescriptor for entityID=XXXXXX in IDPRole role.
ERROR: SAML2Utils: The signing certificate does not match what’s defined in the entity metadata.
entityID is the ID value provied in fedlet.cot file in fedlet configuration.
Troubleshooting process:
Identity provider was signing the SAML response and encrypting the assertion. So the signing and validation has worked before and it is failing all at once.
IDP will provide the certificate in the metadata that they provide. Service Provider (Fedlet) verifies if the signature is valid by first checking if there is a certificate configured in Identity provider metadata signing block. Then it checks with Trusted Certificate for validating the signature. I have verified the IDP metadata in fedlet configuration and found that certificate was missing in Signing section which is the root cause of this error.
After placing the Signing block in IDP metadata and restarting the application server containing fedlet, the federation has worked!!
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com