• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • Troubleshooting the error “The signing certificate does not match what’s defined in the entity metadata”

    Posted by "" in "idm, sso, troubleshooting" on 2013-06-17

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    I was working on federation with IDP as custom solution and SP as fedlet. The SAML authentication request and SAML response was generated successfully. However while validating the SAML response by Fedlet, it was throwing the below error in the browser.

    Upon looking at libSAML2 debug file I could see 2 exceptions in the logs

    ERROR: KeyUtil.getVerificationCert: No signing KeyDescriptor for entityID=XXXXXX in IDPRole role.

    ERROR: SAML2Utils: The signing certificate does not match what’s defined in the entity metadata.

    entityID is the ID value provied in fedlet.cot file in fedlet configuration.

    Troubleshooting process:

    Identity provider was signing the SAML response and encrypting the assertion. So the signing and validation has worked before and it is failing all at once.

    IDP will provide the certificate in the metadata that they provide. Service Provider  (Fedlet) verifies if the signature is valid by first checking if there is a certificate configured in Identity provider metadata signing block. Then it checks with Trusted Certificate for validating the signature. I have verified the IDP metadata in fedlet configuration and found that certificate was missing in Signing section which is the root cause of this error.

    After placing the Signing block in IDP metadata and restarting the application server containing fedlet, the federation has worked!!

    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP