Reputation: 1075
Simple SAML certificate not matching fingerprint
I had a project dropped in my lap for SSO before another co-worker left the firm. We are using SimpleSamlPHP. I guess when the Idp forwards the user, they get a notice that says:
"Unable to find a certificate matching the configured fingerprint. Candidates: '***********************************'; certFingerprint: '*******************************'."
Please note I added the ***** in the place of displaying the real fingerprint or candidates.
I don't understand what does this really means, or what should I do. The certFingerprint in the error matches our metadata/saml20-idp-remote.php
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] Backtrace:
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] 0 /var/www/simplesamlphp/www/module.php:180 (N/A)
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] Caused by: SimpleSAML_Error_Exception: Unable to find a certificate matching the configured fingerprint. Candidates: '**********************'; certFingerprint: '************************'.
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] Backtrace:
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] 5 /var/www/simplesamlphp/modules/saml/lib/Message.php:116 (sspmod_saml_Message::findCertificate)
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] 4 /var/www/simplesamlphp/modules/saml/lib/Message.php:165 (sspmod_saml_Message::checkSign)
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] 3 /var/www/simplesamlphp/modules/saml/lib/Message.php:556 (sspmod_saml_Message::processAssertion)
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] 2 /var/www/simplesamlphp/modules/saml/lib/Message.php:528 (sspmod_saml_Message::processResponse)
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] 1 /var/www/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (require)
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] 0 /var/www/simplesamlphp/www/module.php:135 (N/A)
Aug 13 08:37:53 518537-web5 simplesamlphp[20692]: 3 [20fd4d449a] Error report with id 40d74688 generated.
Upvotes: 1
Views: 3126
Answers (1)
Reputation: 3047
x509 public certificates or its fingerprint can be published. You only have to take care of not publish private keys so you don't need to put the ****
It seems that you have configured your IdP-remote metadata with a certFingerprint instead of a certificate, so it will never look at the certificates in the cert-directory.
From this output, it looks like your certFingerprint option is set incorrectly. Either correct it, or replace the certFingerprint option with either a 'keys'-option (which you get from the XML metadata parser), a 'certData'-option or a 'certificate'-option.
Get more info at simpleSAMLphp documentation: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote#section_1
Upvotes: 1
Related Questions
- simpleSamlPHP isAuthenticated always returning false
- simpleSAMLphp SP metadata returning entityID of http instead of expected https
- SimpleSAMLphp Unable to validate Signature error
- SSO SAML2.0 implementation in PHP
- SAML SSO certificates not matching but still working?
- Onelogin PHP SAML toolkit and cert fingerprint
- Single Sign On SAML service failing to decrypt
- Verify digital signature in SAML response against certificate in PHP
- Simplesamlphp wrong metadata
- SimpleSamlPhp as SP redirects incorrectly