RE: Shibboleth idp and CAS

Scott,

I'm not sure I understand. 
First of all my problem happens with both testshib and another sp. Both work
just fine without CAS involved. 

So are you saying that shibboleth (on the sp side) is looking for my SSL
certificate to be what is in the metadata? So if I get a 'real' certificate
(like Verasign) I will need to put that certificate into the metadata for
the sp to validate against?

Thanks, Pat

-----Original Message-----
From: Scott Cantor [mailto:cantor.2-ZbGKxL/pcrQ@xxxxxxxxxxxxxxxx] 
Sent: Tuesday, December 12, 2006 2:26 PM
To: shibboleth-users-H4aWS73dXup+qImEYqgU8Q@xxxxxxxxxxxxxxxx; 
cas-c5E7yoNEsvRIM2btvs0Z1A@xxxxxxxxxxxxxxxx
Subject: RE: Shibboleth idp and CAS

> The sp does try to access the -idp/AA but has SSL problems - 
> the error log from the sp side:

That's not something that would pertain to use of CAS per se, so something
else is different.

> 2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Shibboleth [1110] 
> sessionGet: performing certificate path validation...
> 2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Shibboleth [1110] 
> sessionGet: failed to validate certificate chain using 
> KeyAuthority extensions

That's your issue, the SP isn't happy with your AA's SSL cert. If it's
shibtest, then you get handed a key/cert to use for your IdP to use and if
it doesn't match what's in the metadata the SP has, it won't work.

shibtest is looking for an exact match to what it handed you initially. The
path validation above is just a fall-back that it tried because it didn't
match.

-- Scott