Hello Vitaly,
Our configuration is the following:
- Hbxie.dll
1.0.0.9 you sent me the 19/09/2009 in HSS_g3.zip.
- The
certificate of the server (souscriptionflash) is signed by an
“Intermediate Certificate”, the “Intermediate
Certificate” is signed by our root certificates.
- The
certificate chain is valid, IE says OK, CardSpace says OK.
-
running through proxy or not does not change the behavior.
He is a summary.
-
XP-SP3 - IE-6 : the RP certificate (souscriptionflash) is written
in switcher.log , the selector retrieves it.
-
XP-SP3 IE-7 , no RP certificate in switcher.log
-
XP-SP2 - IE-7 another machine; the RP certificate is written in
switcher.log, , the selector retrieves it.
Thanks for your help
Philippr.
From: Vitaliy Lakhno [mailto:vlakhno@xxxxxxxxxxxxxx]
Sent: mardi 29 septembre 2009
14:14
To: PASQUIER thomas
Cc: Higgins (Trust Framework) Project
developer discussions; Smadja Philippe
Subject: Re: [I-Card Selector
Switch]Server certificate not transmit to Selector
Hello,
Thanks for feedback.
A rough estimate of this issue is that HBX (IE add-on) is not able to create
certificate chain properly, maybe because there are invalid certificates
(Untrusted) on the sites (https://souscriptionflash.orange.telecom.test.fc2consortium.org/
and https://ej.ds.bancaire.test.fc2consortium.org).
Sometimes, it can cause an issue.
Also, could you provide to me some information:
* Can you see "azigo encountered an error when verifying the identity of
the site and cannot continue." message box, when certificate chain is
missed?
* Could you tell me hbxie.dll version? (AZIGO_BIN/hbxie.dll -> Context
Menu-> Properties->Version->File version)
* Is that computer has direct connection to the Internet or through proxy
server (if yes is it auto-proxy or proxy settings are set manually in IE)?
Thanks.
--------------------------------
Vitaliy Lakhno
PASQUIER thomas wrote:
Hi Vitaly,
We encounter a bug that we are not able to reproduce
for the moment, in one of our computer the server certificate is not send to
the selector (it’s sent sometimes but we can’t figure out if there
is any reason for switch selector to send it or not). Switching between
selector don’t modify the behavior of the switch selector.
We met this bug under Internet Explorer 7 and Windows
XP SP3, we used Firefox 3.x on the same computer, at the same time and met no
problem.
Working request:
<hbx_request>
<object_name>xmltoken</object_name>
<document_URL>https://souscriptionflash.orange.telecom.test.fc2consortium.org/FC2Flash/SouscriptionFlash.do%3foperation=initPage3</document_URL>
<parameters>
<parameter name="TokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/>
<parameter name="certificate"
value="MIIFkzCCBHugAwIBAgIIc2ew1GBhLWwwDQYJKoZIhvcNAQEFBQAwWzEhMB8GA1UEAwwYRkMyIHN1
YkFDIHRlbGVjb20gU2VydmVyMQ0wCwYDVQQLDAR0ZXN0MRowGAYDVQQKDBFmYzJjb25zb3J0aXVt
Lm9yZzELMAkGA1UEBhMCRlIwHhcNMDkwMzIzMTcyNTI1WhcNMTAxMDE0MTcyNTI1WjB4MUAwPgYD
VQQDDDdzb3VzY3JpcHRpb25mbGFzaC5vcmFuZ2UudGVsZWNvbS50ZXN0LmZjMmNvbnNvcnRpdW0u
b3JnMQ8wDQYDVQQLDAZvcmFuZ2UxFjAUBgNVBAoMDWZjMmNvbnNvcnRpdW0xCzAJBgNVBAYTAkZS
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnIyH9mT9Ms5NR4jpsUtQcuPG7GccKdE/2iCz8
9sf57TEojpRqo94PTOfg9ZOwcBSiT3yeD8YG2A2KKBvtbrzE5h90tuvPlgQQSjw2EapFm/Hu2gLs
7n63xnsVd1TILUcmL+L+aJw1KjDOzpQ4a2sxO9XRVa0RLSgVB3VRdNgrTQIDAQABo4ICwDCCArww
gcYGCCsGAQUFBwEBBIG5MIG2MFsGCCsGAQUFBzAChk8vaG9tZS9mYzIvVOls6WNoYXJnZW1lbnQv
Y2VydGlmaWNhdHMgRkMyL0FDL3N1YkFDL0ZDMnN1YkFDZ291dlNlcnZlci5jYWNlcnQucGVtMFcG
CCsGAQUFBzABhktodHRwOi8vYWMuZHMuY29tbXVuLnRlc3QuZmMyY29uc29ydGl1bS5vcmc6ODA4
MC9lamJjYS9wdWJsaWN3ZWIvc3RhdHVzL29jc3AwHQYDVR0OBBYEFPeEDniIQ/oMaUcDqnmCexsG
BCDbMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUwNL/TMX8Ey9cMcf+2Rky+WZAvucwggEaBgNV
HR8EggERMIIBDTCCAQmggaWggaKGgZ9odHRwOi8vYWMuZHMuY29tbXVuLnRlc3QuZmMyY29uc29y
dGl1bS5vcmc6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9Y3JsJmlz
c3Vlcj1DTj1GQzIgc3ViQUMgdGVsZWNvbSBTZXJ2ZXIsIE89ZmMyY29uc29ydGl1bS5vcmcsIE9V
PXRlc3QsIEM9RlKiX6RdMFsxITAfBgNVBAMMGEZDMiBzdWJBQyB0ZWxlY29tIFNlcnZlcjEaMBgG
A1UECgwRZmMyY29uc29ydGl1bS5vcmcxDTALBgNVBAsMBHRlc3QxCzAJBgNVBAYTAkZSMA4GA1Ud
DwEB/wQEAwIE8DAxBgNVHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEF
BQcDCDBCBgNVHREEOzA5gjdzb3VzY3JpcHRpb25mbGFzaC5vcmFuZ2UudGVsZWNvbS50ZXN0LmZj
MmNvbnNvcnRpdW0ub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQB7kf7qiIWX7nQwGZTAX0NFq8kFUzPh
kRdxKQsQl2UjTCoSh5QxXcA+921oRHBlgxlyaYgQVbvtLfFIlbDGKgGSTgo/QxD1i1PST03jpGfk
hQ/NFSqY/G1/zPKBkVUtiQsdPYyMpBZePZwib5I0/9b9/w5yuIyuJHIr3JSfSZYTtr2PXOLtEFlr
cGJkI/OYnm8C+BeeY3s14lJCe1K7GL00HiDhq/yuiD2Twak8251fofRmKwmMbAAO40eKVLdnGPgq
R20NnG+6wFtsXHOeweGjbc7XXNXsipXTl0xjtijIBdewOCn1HJGsZvVgshfXThFJ/f+sAxsk8zh4
9BYhmpL8MIIFBTCCA+2gAwIBAgIIdQaikFfH78QwDQYJKoZIhvcNAQEFBQAwUTEXMBUGA1UEAwwO
RkMyIEFDIHRlbGVjb20xDTALBgNVBAsMBHRlc3QxGjAYBgNVBAoMEWZjMmNvbnNvcnRpdW0ub3Jn
MQswCQYDVQQGEwJGUjAeFw0wOTAzMTgxMDAzMDhaFw0xNzA2MDQxMDAzMDhaMFsxITAfBgNVBAMM
GEZDMiBzdWJBQyB0ZWxlY29tIFNlcnZlcjENMAsGA1UECwwEdGVzdDEaMBgGA1UECgwRZmMyY29u
c29ydGl1bS5vcmcxCzAJBgNVBAYTAkZSMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
gpi8ozto6ub7oto3jASY5WCs1iVHkMboomZ96K5CRDSY8hJeToKqFKcus2omtyBlYwXGa/KwNKoU
otlvmtdHmJ8MTGyTHEBI4Abo+7VY1WL2zJQfw7hvnS6kOwrnUthMIVU0lAZoyEuryIria2zdIHGQ
eL2z29uABmxV5r4rbsv2CZ90AivZiCyXq/dS8LnOxysmK+oTD1fnzcMAty4Snre6ppGBc0Hs35CK
GaxjsmILJPaUgtRgZz71Z/uj7G2+qQEFxbhqlPT+fPCYcDRgXO8X6xsmwzY3MGPpt565j0Y6dtzY
Io6oQs/z7NlB7CgOrApZ+EdBdiairwWqoofVmQIDAQABo4IB1TCCAdEwZwYIKwYBBQUHAQEEWzBZ
MFcGCCsGAQUFBzABhktodHRwOi8vYWMuZHMuY29tbXVuLnRlc3QuZmMyY29uc29ydGl1bS5vcmc6
ODA4MC9lamJjYS9wdWJsaWN3ZWIvc3RhdHVzL29jc3AwHQYDVR0OBBYEFMDS/0zF/BMvXDHH/tkZ
MvlmQL7nMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUIQ74OrST5/F+mJ40j77ZAaeVKF4w
ggEDBgNVHR8EgfswgfgwgfWggZuggZiGgZVodHRwOi8vYWMuZHMuY29tbXVuLnRlc3QuZmMyY29u
c29ydGl1bS5vcmc6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9Y3Js
Jmlzc3Vlcj1DTj1GQzIgQUMgdGVsZWNvbSwgTz1mYzJjb25zb3J0aXVtLm9yZywgT1U9dGVzdCwg
Qz1GUqJVpFMwUTEXMBUGA1UEAwwORkMyIEFDIHRlbGVjb20xGjAYBgNVBAoMEWZjMmNvbnNvcnRp
dW0ub3JnMQ0wCwYDVQQLDAR0ZXN0MQswCQYDVQQGEwJGUjAOBgNVHQ8BAf8EBAMCAUYwDQYJKoZI
hvcNAQEFBQADggEBAHMm2IpzhOhf0m6bU/d/gXEoIDoPJajf2/5S5LiW6EA/q7c3D1IOdzdyOYpA
Ahg/Ie5wDyothyo/S6bPgNMp1IO8Nn8owPe7iYXpJ+Cv5oxRcDR4xIJ+hz6MUXSGb+12EHjtYO8O
62OHEG3UFbrx2dbEk/pHKgRnIozr1URBeDVOfxuqfqo01fN6kmR8T9Tr2aQkZoNEtOFX8BBVsbUV
Zc8bEdU9sxnezlm2authzC8OtKidlmDtVqfuvYWiVw9OnePz3/n9QbNuYdM2mkov/VOA/LAEodSC
YCnOKtiUBQJTB2kcvYulaEkRUKKWr0/SyU2Rl6wH6rBYUZGJUniirCI=MIIE+zCCA+OgAwIBAgII
WID+/c25jjUwDQYJKoZIhvcNAQEFBQAwUTEXMBUGA1UEAwwORkMyIEFDIHRlbGVjb20xDTALBgNV
BAsMBHRlc3QxGjAYBgNVBAoMEWZjMmNvbnNvcnRpdW0ub3JnMQswCQYDVQQGEwJGUjAeFw0wOTAz
MTgwOTQ4NTFaFw0xOTAzMTYwOTQ4NTFaMFExFzAVBgNVBAMMDkZDMiBBQyB0ZWxlY29tMQ0wCwYD
VQQLDAR0ZXN0MRowGAYDVQQKDBFmYzJjb25zb3J0aXVtLm9yZzELMAkGA1UEBhMCRlIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSH/UOayla9PdOKC2IfsHA0SY8lPBdYQmmyNmY+IOW
iXj4Sb9kbDwqK/B+E6gVDsXZIsXrawzkfxTrahm83gJI0DAE8h9rzP7eoPHQ3faNLFXguCzJx1Dh
N/eDW41EkU9rIBtCtJ2VmFhxZlnL2nT5XhAY+VnZ3/0EEnbRsXb6goFswlW8BRbCYg3h4rjbWa+Y
RTbifwKZWjk0OhpoDPUtWrHAucLL9hoJ+gTuVT+N7LaMB0O1lXYL1gPyEXPr7GWXHOssVYIfyGq0
olFrCR34cEahgQVDykNBi2vIoJxi65pmRjdLDGqFGFDuLDgJFrSG8IEomhJ7/zBiVSEGjK8vAgMB
AAGjggHVMIIB0TBnBggrBgEFBQcBAQRbMFkwVwYIKwYBBQUHMAGGS2h0dHA6Ly9hYy5kcy5jb21t
dW4udGVzdC5mYzJjb25zb3J0aXVtLm9yZzo4MDgwL2VqYmNhL3B1YmxpY3dlYi9zdGF0dXMvb2Nz
cDAdBgNVHQ4EFgQUIQ74OrST5/F+mJ40j77ZAaeVKF4wDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
GDAWgBQhDvg6tJPn8X6YnjSPvtkBp5UoXjCCAQMGA1UdHwSB+zCB+DCB9aCBm6CBmIaBlWh0dHA6
Ly9hYy5kcy5jb21tdW4udGVzdC5mYzJjb25zb3J0aXVtLm9yZzo4MDgwL2VqYmNhL3B1YmxpY3dl
Yi93ZWJkaXN0L2NlcnRkaXN0P2NtZD1jcmwmaXNzdWVyPUNOPUZDMiBBQyB0ZWxlY29tLCBPPWZj
MmNvbnNvcnRpdW0ub3JnLCBPVT10ZXN0LCBDPUZSolWkUzBRMRcwFQYDVQQDDA5GQzIgQUMgdGVs
ZWNvbTEaMBgGA1UECgwRZmMyY29uc29ydGl1bS5vcmcxDTALBgNVBAsMBHRlc3QxCzAJBgNVBAYT
AkZSMA4GA1UdDwEB/wQEAwIBRjANBgkqhkiG9w0BAQUFAAOCAQEAG8XIraEB6jY1qrGCqYbbEiRj
4KwEVaq8e6nqB7HJZVc9v9HDS3vSrWWZf84XKNoWUAVEE4uhjG4RrUB/QPPnVD/SFi52eHy10D3u
8fryr5mtxG05MtVRd76biE+wtdnDzlElzFJ0TBlcSlQ2lB9Sc/Va8CLN0fx1Nr8pe5To4VzMXoEr
mk7aQJKeVcsrVDqwuOCPLTw8/WsQPUtgnzkYu+uSG5bOr/aYRZKQOTY5aBsr2DKBedNV6XQ6ucVx
3aW4vwNMmnfXrUUmZ6miXCc2A3/hMjx9uZO2pV5QWzRlyY86eMpEvE+usVZB9S+67hnm6GaHb4FF
05UF8HsIfCuyeA=="/>
<parameter name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://www.fc2consortium.org/ws/2008/10/identity/claims/cnienumber
http://www.fc2consortium.org/ws/2008/10/identity/claims/civility
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
http://www.fc2consortium.org/ws/2008/10/identity/claims/placeofbirth
http://www.fc2consortium.org/ws/2008/10/identity/claims/departmentofbirth
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress "/>
<parameter name="issuer" value="https://ip-idservices.orange.gouv.test.fc2consortium.org/BanditIdP/services/Trust"/>
<parameter name="issuerPolicy"
value=""/>
<parameter name="privacyUrl"
value=""/>
<parameter name="privacyVersion"
value="0"/>
</parameters>
</hbx_request>
Not Working Request:
<hbx_request>
<object_name>xmlToken</object_name>
<document_URL>https://ej.ds.bancaire.test.fc2consortium.org:6443/RPEnqueteJudiciaire/</document_URL>
<parameters>
<parameter name="TokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion"/>
<parameter name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
https://idp.ds.interieur.test.fc2consortium.org/ws/2005/05/identity/claims/qualite
https://idp.ds.interieur.test.fc2consortium.org/ws/2005/05/identity/claims/parquet
https://idp.ds.interieur.test.fc2consortium.org/ws/2005/05/identity/claims/employeenumber
https://idp.ds.interieur.test.fc2consortium.org/ws/2005/05/identity/claims/telephonenumber
https://idp.ds.interieur.test.fc2consortium.org/ws/2005/05/identity/claims/service
https://idp.ds.interieur.test.fc2consortium.org/ws/2005/05/identity/claims/grade
https://idp.ds.interieur.test.fc2consortium.org/ws/2005/05/identity/claims/competence
"/>
<parameter name="issuer"
value=""/>
<parameter name="issuerPolicy"
value=""/>
<parameter name="privacyUrl"
value=""/>
<parameter name="privacyVersion"
value="0"/>
</parameters>
</hbx_request>
Best regards,
Tel:
+33 1 55 01 60 69
6
rue de la Verriere
92197
Meudon Cedex
|