Access Manager 300101028 - SOAP TLS Authorization failed

  • 3813149
  • 09-Jul-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Access Administration

Situation

SAML2 setup between a Novell SAML2 Identity server and a 3rd party SAML2 Service Provider. The SOAP backchannel communication for this SAML2 relationship required mutual authentication. The various trusted roots were imported into the correct trusted root stores so that both sides could validate the server certificate. When a user authenticates to the IDP server and tries to communicate with the SP, the browser would report an error 300101028 error (TLS Validation Failed).

an assertion is sent over to the SP.

Resolution

Make sure that the server certificate sent by the SP has a subject name that matches that used as the baseURL or end point for the SP metadata.

If you use a browser to look at the SP metadata, the various services will have a DNS name for the location. When an assertion is exchanged between the IDP and SP, and mutual authentication is enabled, the SP will send it server certificate over to the IDP. The IDP will make sure the issuer is in it's NIDP trust store, and also make sure that the subject name of the server certificate matches the SOAP end point of the SP's metadata. In this case, the SP metadata had a baseURL that did not match the certificate subject name and the above error was thrown.