I2 Oracle RP with FUGEN IDP

From OSIS Open Source Identity Systems
Jump to: navigation, search

FUGEN IDP seems to be using EV Certificate. IE7 is having issues trusting the FUGEN site certificate. Also, after getting the card when tried to install it to cardspace, it crashed.

An error occurred during the import of a card. Errors in reading the imported card file.

Inner Exception: The X.509 certificate is both not chain trusted and peer trusted. Chain trust error(s): The X.509 certificate CN=fugenmisp.federationportal.com, O=FuGen Solutions Inc., L=Sunnyvale, S=California, C=US; 8C5B30160548B819AA8BE4DD29438C77DBB889F7 chain building failed. The certificate that was used has a trust chain that cannot be verified. An internal certificate chaining error has occurred.

The revocation function was unable to check revocation for the certificate.
The revocation function was unable to check revocation because the revocation server was offline.
 Peer trust error(s): The X.509 certificate CN=fugenmisp.federationportal.com, O=FuGen Solutions Inc., L=Sunnyvale, S=California, C=US is not in the trusted people store.


Additional Information: Microsoft.InfoCards.ImportException: Errors in reading the imported card file. ---> Microsoft.InfoCards.IdentityValidationException: The X.509 certificate is both not chain trusted and peer trusted. Chain trust error(s): The X.509 certificate CN=fugenmisp.federationportal.com, O=FuGen Solutions Inc., L=Sunnyvale, S=California, C=US; 8C5B30160548B819AA8BE4DD29438C77DBB889F7 chain building failed. The certificate that was used has a trust chain that cannot be verified. An internal certificate chaining error has occurred.

The revocation function was unable to check revocation for the certificate.
The revocation function was unable to check revocation because the revocation server was offline.
 Peer trust error(s): The X.509 certificate CN=fugenmisp.federationportal.com, O=FuGen Solutions Inc., L=Sunnyvale, S=California, C=US is not in the trusted people store.
  at

Vijay provided instructions on how to import the EV cert into Windows XP cert store. However, while testing theested scenario ran into an issue of incompatible SAML confirmation-type value ("sender-vouches"). FUGEN is the only IDP that sets this confirmation type whereas others set either (BEARER for managed/username token or HOLDER-OF-KEY (for managed/self-signed). Oracle RP rejects the sender vouches confirmation type as the trust semantics do not match.

Tested by Ramana Turlapati Oct 23, 7pm PDT


FuGen fixed the SAML confirmation type behavior. it now asserts SAML "Bearer" assertions. Oracle RP works with FuGen IDP now.

Tested by Ramana Turlapati Oct 29, 10:25a PDT