Error 300101050 posted when using a self-signed certificate in a SAML2 federated environment

  • 7018778
  • 05-Apr-2017
  • 01-Jun-2017

Environment

NetIQ Access Manager 4.2.x

Situation

NetIQ Access Manager (NAM) 4.2 with SAML2 federation. NAM is configured to as the Identity Provider (IdP).  An Service Provider (SP) has been configured using a self-signed certificate. When executing an IDP initiated Single Sign On (SSO), it fails with an error:
"300101050-<IDP id>, The request to provide authentication to a service provider has failed.:The Authentication Card specified is not valid." found in the catalina.out of the IDP-server.

Additional error message is:
"The request's authentication card was not found. Either id[null] or PID [https://myserver.company.com] of the card is missing or is invalid."

Resolution

Creating a new self-signed certificate resolved the issue.

Cause

The self-signed certificate was created as a CA-certificate, which should not be used to identify the server. In addition, using this command: "certutil -dump server-cert.der" to check the validity, it returned the following message:
"Possible Root Certificate: Subject matches Issuer, but Signature check fails: 80090006"

The certificate was handled in the Admin Console as being valid, though it was deemed invalid when used in setting up a secure connection between the IdP and the SP.