Shibboleth Developers

At 12:03 PM -0700 5/29/03, RL 'Bob' Morgan wrote:
>  > in the meantime.... I've added your origin to my target.... give  it
> >  a try, if you'd like:
> >
> >         http://pluto.services.brown.edu/shib-test/
>
> ... and now what I get with my origin and your target.  So there's a
> certain consistency here in failure to validate the signed authn
> assertions ...

With a LOT of help from Walter, I added a new KeyAuthority element to 
my sites.xml file. I basically copied the existing entry for shib2, 
and made a new explicit entry for my origin host.

After  restarting the SHAR, I was able to successfully use my origin......

We went back to the keystore and looked at the cert being used by my HS...

its signed by bossie, with a chain length of three (hepki master CA, 
hepki server CA, my machine).

With logging set to DEBUG, we looked at the log file. It certainly 
looks like the HS is sending three cert's.......

so, the problem would seem  to be with cert chain validation on the 
target side.....

suggestions?

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--