Invalid credential.

Summary

The SP has provided invalid credentials while contacting the IdP using a callback in the background.
A callback from SP to IdP is done in the background to dereference the artifact or to do an attribute query. The SP needs to identify itself to the IdP when it does a callback. The certificate specified in ShibbolethXml is used for SSL client certificate authentication to the IdP. This error states the IdP trusts the certificate, but the CN does not match the CN that is specified in the MetaData at the IdP for this providerId.

Possible Causes and Solutions

Check IdP logs for these lines:

cannot match certificate subject against acceptable key names based on the metadata entityId or KeyDescriptors
Supplied TLS credential (<i>&lt;certificate_data&gt;</i>)

Look at the CN= in the <certificate_data>. The MetaData entry at the IdP for this entityId/providerId should contain a matching <KeyName> element to fix this error (or change the certificate to another CN).

%COMMENT%