Environment
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Access Administration
Situation
SAML2 setup between a Novell SAML2 Identity server and a 3rd party
SAML2 Service Provider. The SOAP backchannel communication for this
SAML2 relationship required mutual authentication. The various
trusted roots were imported into the correct trusted root stores so
that both sides could validate the server certificate. When a user
authenticates to the IDP server and tries to communicate with the
SP, the browser would report an error 300101028 error (TLS
Validation Failed).
an assertion is sent over to the SP.
an assertion is sent over to the SP.
Resolution
Make sure that the server certificate sent by the SP has a subject
name that matches that used as the baseURL or end point for the SP
metadata.
If you use a browser to look at the SP metadata, the various services will have a DNS name for the location. When an assertion is exchanged between the IDP and SP, and mutual authentication is enabled, the SP will send it server certificate over to the IDP. The IDP will make sure the issuer is in it's NIDP trust store, and also make sure that the subject name of the server certificate matches the SOAP end point of the SP's metadata. In this case, the SP metadata had a baseURL that did not match the certificate subject name and the above error was thrown.
If you use a browser to look at the SP metadata, the various services will have a DNS name for the location. When an assertion is exchanged between the IDP and SP, and mutual authentication is enabled, the SP will send it server certificate over to the IDP. The IDP will make sure the issuer is in it's NIDP trust store, and also make sure that the subject name of the server certificate matches the SOAP end point of the SP's metadata. In this case, the SP metadata had a baseURL that did not match the certificate subject name and the above error was thrown.