The Metadata - Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

using test certificates. When you change these certificates or change from using HTTP to HTTPS,
you need to make sure that the trusted relationship is reestablished. Metadata is used for establishing
trusted relationships.
The metadata exchanged between service providers and identity providers contains public key
certificates, key descriptors for message signing, a URL for the SSO service, a URL for the SLO
(single logout) service, and so on. With Access Manager, this metadata is accessible on both the
Identity Server and the Access Gateway. Errors are generated when either the identity provider
could not load the service provider's metadata (100101043), or the service provider could not load
the metadata of the identity provider (100101044).
If users are receiving either of these errors when they attempt to log in, verify the following:
Section 12.2.1, "The Metadata," on page 276
Section 12.2.2, "DNS Name Resolution," on page 277
Section 12.2.3, "Certificate Names," on page 278
Section 12.2.4, "Certificates in the Required Trust Stores," on page 279
Section 12.2.5, "Certificates in the Correct Certificate Store," on page 280
If these steps do not solve your problem, try the following:
Section 12.2.6, "Enabling Debug Logging," on page 281
Section 12.2.7, "Testing Whether the Provider Can Access the Metadata," on page 283
Section 12.2.8, "Manually Creating Any Auto-Generated Certificates," on page 283
For information about metadata validation process and the flow of events that occur when
accessing a protected resource on the Access Gateway, see
100101044 Errors in Access Manager (http://www.novell.com/coolsolutions/appnote/
19456.html).

12.2.1 The Metadata

If you change the base URL of the Identity Provider, all service providers, including Embedded
Service Providers, need to be updated so that they use the new metadata:
"Embedded Service Provider Metadata" on page 276
"Service Provider Metadata" on page 277
Embedded Service Provider Metadata
If you change the base URL of the Identity Provider, all Access Manager devices that have an
Embedded Service Provider need to be updated so that new metadata is imported. To force a re-
import of the metadata, you need to configure the device so it doesn't have a trusted relationship
with the Identity Server, update the device, reconfigure the device for a trusted relationship, then
update the device. The following steps explain how to do this for an Access Gateway.
1 In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxies/
Authentication.
2 Select None for the Identity Server Cluster option, click OK twice, then update the Access
Gateway.
276 Novell Access Manager 3.1 SP1 Identity Server Guide
Troubleshooting 100101043 and