ERROR: SAML2 :: process() : Authentication Error com.sun.identity.saml2.common.S

This topic contains 9 replies, has 3 voices, and was last updated by  Peter Major 8 months ago.

  • Author
    Posts
  • #15410
     adiVerint 
    Participant

    Hi all
    I’m looking for a solution and perhaps you have it. I configured OpenAM as a hosted SP with adfs on a remote machine as a IDP (remote IDP).
    I followed the steps in this guide :
    https://backstage.forgerock.com/docs/openam/13/admin-guide/chap-federation#saml2-integrated-mode-sso-procedure

    and still when I try to login (idp\sp initiated) I get an exception from openAM –
    ERROR: SAML2 :: process() : Authentication Error
    com.sun.identity.saml2.common.SAML2Exception: Null input. at com.sun.identity.saml2.common.QuerySignatureUtil.sign(QuerySignatureUtil.java:84)…..

    Any thoughts ?
    Thank you all

    #15415
     Scott Heger 
    Participant

    Kick up your debug level to Message and try again. That will log more information to the Federation debug log which will help resolve faster.

    #15422
     adiVerint 
    Participant

    My logs are on msg but still this is the only msg that appear in the logs.

    #15436
     Peter Major 
    Moderator

    Null input error message means that the private key is missing for the querystring signature. Most likely you have configured a non-existent private key alias for signatures on the hosted SP setting, or you have provided incorrect password to the keystore or the private key.

    #15439
     adiVerint 
    Participant

    I configured it with a certificate of openAM machine (sha2) in the openam keystore. Is it taking the private key from there ?
    Where does it take the private key from ?

    #15441
     Peter Major 
    Moderator

    The keystore file is the one defined under Configuration – Servers and Sites – Default Server Settings – Security – Keystore File. In XUI the path would be Configuration – Server Defaults – Security – Key Store.

    #15442
     adiVerint 
    Participant

    I know. The question is where the private key is taking from ? If the same certificate has been placed everywhere – what can be the reason the privatekey is missing or wrong ?

    #15443
     Peter Major 
    Moderator

    The private key is obtained from the Keystore. You should make sure that your Keystore contains a PrivateKeyEntry and not a trustedCertEntry. You can run the following command:
    keytool -list -keystore openam/openam/keystore.jks
    or
    keytool -list -keystore openam/openam/keystore.jceks -storetype JCEKS

    #15447
     adiVerint 
    Participant

    Thank you for your advise! I inserted the key as a PrivateKeyEntry and configure my sp in the openam to use it for signing ( I have nothing in encryption ). I keep getting this error:
    SPSSOFederate: certAlias :1
    libSAML:01/19/2017 06:58:49:277 PM IST: Thread[http-apr-29303-exec-7,5,main]: TransactionId[a408138f-551e-4773-90fc-ca6af112824e-530]
    ERROR: Cannot recover key
    libSAML2:01/19/2017 06:58:49:278 PM IST: Thread[http-apr-29303-exec-7,5,main]: TransactionId[a408138f-551e-4773-90fc-ca6af112824e-530]
    ERROR: QuerySignatureUtil.sign: Either input query string or private key is null.
    amAuthSAML2:01/19/2017 06:58:49:278 PM IST: Thread[http-apr-29303-exec-7,5,main]: TransactionId[a408138f-551e-4773-90fc-ca6af112824e-530]

    Any thoughts ?

    #15449
     Peter Major 
    Moderator

    Cannot recover key: passwords are wrong…

    You could try to use a tool like portecle to manage your keystore.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?