Shibboleth Developers

["Howard Gilbert" <>]

> > 15:16 ERROR cannot match certificate subject against
> > acceptable key names based on the metadata entityId or KeyDescriptors
> 
> That sounds like a bug in the metadata you're using somehow. If you're
> using
> the same IQ-metadata file that the SP shops with now, I know it's correct.

It wasn't the exact same metadata file, but it differed only in comments.

The problem is in some combination of the AA Role in the IQ-Metadata file
and the coding of ShibbolethTrust.validate. My ShibbolethTrust was replaced
by a new one shared by the IdP and SP.

The Metadata has (abridged):

<AttributeAuthorityDescriptor ...>
        <Extensions>
        <shibmd:Scope>example.edu</shibmd:Scope>
        </Extensions>
        <AttributeService .../>
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
</AttributeAuthorityDescriptor>

The key observation here is that there is no KeyDescriptor and that the
Certificate has to be validated against a CA defined in the Extensions of
the group (EntitiesDescriptor).

ShibbolethTrust first calls super.validate() to look for an inline Cert
specific to the Role. There is none of course, so it prints out the
"Attmping PKIX" (sic) message.
Checkname is true, so it tries to match the hostname in the Certificate
"wayf.internet2.edu" against the Entity name "urn:mace:inqueue:example.edu"
and that sure don't match.
So the last step is to get the KeyDescriptors from the Role, except there
aren't any. So that produces the
13:10 ERROR cannot match certificate subject against acceptable key names
based on the metadata entityId or KeyDescriptors

Something is wrong here. Either there is a missing KeyDescriptor in the
Metadata, or checkname should be false, or the code in validate() is wrong.
I can figure that much from stepping through the Java, but which of the
three is the problem requires help from one of you guys.