Federation – HTTP Status 500.

This topic contains 6 replies, has 3 voices, and was last updated by  Scott Heger 5 days, 8 hours ago.

  • Author
    Posts
  • #19261
     nadavbi 
    Participant

    Hi ,
    i’m new to openAM/Federation/SAML so sorry for the newbie questions :).
    I tried to implement SAML 2.0 based SSO. I am using OpenAM(5.1.1) as the hosted identity provider and JIVE application as the remote SP. i followed the documentation and finally i was able to configure COT , after successful authentication (sp initiated SSO ) i am getting HTTP Status 500 – Unable to do Single Sign On or Federation.

    When i see the log from the Federation debug file i saw that The private key was null. I’m using the test certificate that came with the openAM installation and i installed the SP certificate in openAM keystore also.
    any idea what could happen what did i missed ?

    Federation debug stack trace :
    ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: The private key was null.
    at com.sun.identity.saml2.xmlsig.FMSigProvider.sign(FMSigProvider.java:141)
    at com.sun.identity.saml2.assertion.impl.AssertionImpl.sign(AssertionImpl.java:690)
    at com.sun.identity.saml2.profile.IDPSSOUtil.signAssertion(IDPSSOUtil.java:2500)
    at com.sun.identity.saml2.profile.IDPSSOUtil.signAndEncryptResponseComponents(IDPSSOUtil.java:2576)
    at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponse(IDPSSOUtil.java:735)
    at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:529)
    at org.forgerock.openam.saml2.UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache(UtilProxySAMLAuthenticatorLookup.java:166)
    at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:240)
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:142)
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:102)
    at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:157)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

    • This topic was modified 1 year, 9 months ago by  nadavbi.
    #19284
     Scott Heger 
    Participant

    When you say you are using the test certificate, how are you using it? Did you set it as the signing certificate alias in your Hosted IDP? If not, set that and give it a try.

    #19288
     nadavbi 
    Participant

    Hi Scott.
    Yes i did set tge test certificate as the signing certificate.

    #19295
     Scott Heger 
    Participant

    Ok. Try this. Go to your Hosted IDP entity in the OpenAM console, ensure that your browser isn’t auto-populating values into the “New Value” and “Key Pass” fields. Chrome is doing that for me and I always have to clear those out before saving the configuration. Ensure once again that “test” is listed as a signing certificate alias and then click save. OpenAM will check at that point if it has access to the test certificate. If it doesn’t, then check which keystore you are using (i.e. jks or jceks) and then double check to ensure that “test” is in there as a PrivateKeyEntry.

    #19693
     nadavbi 
    Participant

    Hi ,
    Sorry for the delay , and yes chrome did populate the values when i cleared and save it solved the problem.
    Thanks.

    #26076
     11550662 
    Participant

    Hi Scott,

    Thanks Much, this really helped me out in fixing the issue.

    #26100
     Scott Heger 
    Participant

    You’re welcome!

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?