Secure One Services Group

 View Only
Expand all | Collapse all

ProxySG | Configuration SAML authenticate has issue "% Failed to import metadata: SSL initialization failed - check the server certificate."

  • 1.  ProxySG | Configuration SAML authenticate has issue "% Failed to import metadata: SSL initialization failed - check the server certificate."

    Posted Jan 14, 2018 01:52 AM

    Dear All,

    I found issue about configuration SAML authentication realms as below.  I have to do importing the IDP Certificate, Root CA, and BlueCoat Certificate to browser-trusted.

    Blue Coat SG300 Series#(config);;Begin SAML Settings
    Blue Coat SG300 Series#(config)security saml edit-realm SALM_2
    Blue Coat SG300 Series#(config saml SALM_2)federated-idp import-metadata "https://adfs.abc.com/FederationMetadata/2007-06/FederationMetadata.xml" no-verify-server
    % Failed to import metadata: SSL initialization failed - check the server certificate.

    Blue Coat SG300 Series#(config saml SALM_2)encryption keyring "SAML_Cert_Authen"
      ok
    Blue Coat SG300 Series#(config saml SALM_2)ssl-device-profile SSL_devices_profile_SAML
      ok
    Blue Coat SG300 Series#(config saml SALM_2)exit
    Blue Coat SG300 Series#(config);;End SAML Settings

    - The configuration SAML Realm -

    Plase advise me.

     

    Best Regards,

    T.Jitrak

     



  • 2.  RE: ProxySG | Configuration SAML authenticate has issue "% Failed to import metadata: SSL initialization failed - check the server certificate."

    Posted Jan 15, 2018 02:02 AM

    Hi Teerasak,

     

                   The error points to something with the server certificate (may be trusting ?) Double check that you are able to fetch the Metadata from the url that you are using. A pcap should reveal the connection attempt from proxy to the server. If you are not able to fix this still, I would like to recommend a TAC case for detailed check.



  • 3.  RE: ProxySG | Configuration SAML authenticate has issue "% Failed to import metadata: SSL initialization failed - check the server certificate."

    Posted Jan 15, 2018 03:19 AM

    My guess would be that you internal server is using a certificate which you don't trust on the ProxySG.

    Import the signing root CA into the ProxySG and make sure it is part of the proper CA list.(Doing the first but failing the other will still get you the failure.)