Scott, I'm not sure I understand. First of all my problem happens with both testshib and another sp. Both work just fine without CAS involved.
So are you saying that shibboleth (on the sp side) is looking for my SSL certificate to be what is in the metadata? So if I get a 'real' certificate (like Verasign) I will need to put that certificate into the metadata for the sp to validate against? Thanks, Pat -----Original Message----- From: Scott Cantor [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 12, 2006 2:26 PM To: [EMAIL PROTECTED]; [email protected] Subject: RE: Shibboleth idp and CAS > The sp does try to access the -idp/AA but has SSL problems - > the error log from the sp side: That's not something that would pertain to use of CAS per se, so something else is different. > 2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Shibboleth [1110] > sessionGet: performing certificate path validation... > 2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Shibboleth [1110] > sessionGet: failed to validate certificate chain using > KeyAuthority extensions That's your issue, the SP isn't happy with your AA's SSL cert. If it's shibtest, then you get handed a key/cert to use for your IdP to use and if it doesn't match what's in the metadata the SP has, it won't work. shibtest is looking for an exact match to what it handed you initially. The path validation above is just a fall-back that it tried because it didn't match. -- Scott _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
