Troubleshoot Certificate Signature Verification for Back Channel Communication

Federation Manager Guide › Key and Certificate Management to Secure Federation Messages › CA Certificate Usage › Troubleshoot Certificate Signature Verification for Back Channel Communication

Troubleshoot Certificate Signature Verification for Back Channel Communication

Symptom:

HTTP-Artifact is the profile in use for single sign-on. The asserting party is communicating to the relying party over an SSL back channel. The relying party must verify the signature of the server certificate at the asserting party to communicate over the SSL back channel.

The following error is logged for a failure to verify the signature of the server certificate:

[Dispatcher object thrown unknown exception while processing the request message. Message: Certificate not verified..]

Solution:

The relying party must import the root CA certificate into the certificate data store. This certificate is required to verify the signature of the server certificate at the asserting party. For verification, import the root CA that signed the server certificate.

Verify the following information about the CA certificate that is imported for verification:

Does the root CA certificate have the same issuer and subject DN? If not, the certificate is an intermediary root CA. Import all root CA certificates in the trusted chain.
Check that the issuer of the asserting party server certificate matches the subject and issuer of the root CA you have imported.