Hi Fiona,
I did get that email and replied although it went to Jorum support so
you may not have seen it. Your mail did help with the problem of Apache
rejecting the certificates and that's now solved. It now gets to the
Shibboleth part and fails there, as my idp-process.log shows errors.
It seems to happen on any SP requesting attributes, so it's something to
do with my setup, but I couldn't find a link. The only thing of interest
was that the target.iay.org.uk test SP does successfully get attributes,
and it's the only one I could see with a certificate embedded in the
metadata. All the other SPs have a keyname only, so I'm wondering if
it's related to that. I have a vague understanding of how client
certificates are verified but unfortunately not enough to know what's
going wrong here.
Nick
Fiona Culloch wrote:
> Hi Nick,
> Did you receive the following from me previously? I just checked my
> back mail and realised I sent it to a colleague and an internal support
> list rather than directly to you as intended, so this may not have
> made it through to you:
>
>> I just had a quick look and the proximate cause seems to be a certificate
>> issue between the IdP and the SP:
>>
>> 2008-07-22 15:31:06 INFO SAML.SAMLSOAPHTTPBinding [1409] sessionGet:
>> sending SOAP message to https://dev-wsos-shib.warwick.ac.uk:80/idp/profile/SAML1/SOAP/AttributeQuery
>> [...]
>> 2008-07-22 15:31:07 ERROR SAML.SAMLSOAPHTTPBinding [1409] sessionGet:
>> failed while contacting SAML responder: error:14094416:
>> SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>
|