Notifications

12 views

Description

There is a scheduled job "Refresh MultiSSO IDP Metadata" that will attempt to use the defined URL in the "IDP Metadata URL" field in the respective IdP record to retrieve the XML payload to automatically create new certificates if they exist.

However, if there is an error with the certificate for the defined Metadata URL, the job is unable complete and fails to connect to that URL.

2020-01-20 00:10:42 (069) worker.5 worker.5 txid=374803001ba6 SEVERE *** ERROR *** *** Script: Could not load Metadata from the url <IDP METADATA URL>

Release or Environment

New York

Cause

The scheduled job transaction will have the following error:

Cannot connect to the URL <IDP METADATA URL>: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated: sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
com.glide.communications.GlideSSLProtocolSocketFactory.verifyHostname(GlideSSLProtocolSocketFactory.java:197)
com.glide.communications.GlideSSLProtocolSocketFactory.createSocket(GlideSSLProtocolSocketFactory.java:172)
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
...


While the metadata can be retrieved in the Chrome browser, it also notes an issue with the certificate.


Resolution

Provide the information from the 'ssllabs' site to your Identity Provider admin to have them review and address the certificate issue.
http://ssllabs.com/ssltest/analyze.html?d=<IDP HOST>&latest

In the interim, if you do want those errors to stop appearing you can disable the related scheduled job, "Refresh MultiSSO IDP Metadata", or you can clear that URL value in the respective IdP record field: "IDP Metadata URL".

**Note: If the job disabled or Metadata URL is removed, you would then need to manually update the x509 certificates for the updated IdP record and coordinate the certificate changes with the IdP admin**

Article Information

Last Updated:2020-01-20 09:14:04
Published:2020-01-20