Hi there >>> Apparently the SSL certificate used for HTTPS is the same self-signed certificate in the Federation metadata XML (the exported certificate from the browser has the same text as the FederationMetadata.xml XML portion). >>> Well, this is very uncommon. Certificates can be used for different usages (attribute key usage) like digital signature, server authentication, etc.
I assume this is a test infrastructure but still in this scenario, different certificates should be used as the CN of a certificate used for SSL (server authentication) should contain the DNS name of the server. The certificate (the private key concretely) used to sign the SAML assertion should be highly protected. >>> <issuer subject=".*CN=186.33.232.65.*" certificateValidation="ChainTrust" name="WIN-6LS98RP43K9" /> >>> Import the certificate within metadata file into the stsstore.jks and configure certificateValidation to "PeerTrust". You don't have to configure the subject. If you want to configure the subject it should look like (regular expression): subject=".*CN=WIN-6LS98RP43K9.*" HTH Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Federico Tello Gentile [[email protected]] Sent: 26 July 2013 15:40 To: [email protected]; Oliver Wulff Subject: Re: Running Fediz Spring example webapp El 22/07/13 08:34, Oliver Wulff escribió:> > No, the certificate you see as part of the SSL handshake is different. > > You see the IDP certificate here: > https://186.33.232.65/FederationMetadata/2007-06/FederationMetadata.xml > > RoleDescriptor->KeyDescriptor->KeyInfo->X509Data > > Apparently the SSL certificate used for HTTPS is the same self-signed certificate in the Federation metadata XML (the exported certificate from the browser has the same text as the FederationMetadata.xml XML portion). I have imported it in my stsstore.jks creating a text file with the XML portion. Keytool shows this as well as other keys. ---- keytool -list -keystore stsstore.jks -storepass stsspass myidpkey, 23/07/2013, trustedCertEntry, Huella Digital de Certificado (SHA1): 0A:A0:F2:34:99:92:92:CF:6C:3F:09:99:5F:33:CD:FD:2A:DC:ED:53 ---- (SHA1 matches the one shown by the browser.) I'm getting HTTP 401 - Authentication Failed: Security token issuer not trusted So I looked at fediz_config.xml <trustedIssuers> <issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust" name="DoubleItSTSIssuer" /> </trustedIssuers> Do I have to change that? And how can I find out the info from the certificate? The IDP is using a self-signed certificate. So the issuer common name (CN) is "WIN-6LS98RP43K9", the certificate is issued to the same CN "WIN-6LS98RP43K9". The documentation seems to be clear There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust) I just don't know enough about certificates. I tried <issuer subject="WIN-6LS98RP43K9" certificateValidation="ChainTrust" name="WIN-6LS98RP43K9" /> and <issuer subject=".*CN=186.33.232.65.*" certificateValidation="ChainTrust" name="WIN-6LS98RP43K9" /> but I'm not sure what I'm doing. Thanks for any help.
