August 8, 2018 at 10:52 am #22762
I am leading the security SSO RnD work at my workplace and I have the evaluation version of openAm installed. I am stuck with the following situation.
We can get the SSO flow working and saml response signed with ‘test’ certificate, however my goal is to replace the default ‘test’ certificate with our ‘internalIdentityCertificate’.
The keystore.jceks file contains our ‘internalIdentityCertificate’ however I can’t see this certificate in the dropdown IDP/Assertion Content/Signing and Encryption/CertificateAliases.
I would highly appreciate any help/suggestion on this.
August 8, 2018 at 11:39 am #22809
- This topic was modified 1 week, 2 days ago by dhruvb.
After updating the keystore, you should restart the container so that the new aliases are made available. Also keep in mind that if you just replace the private key stored under the “test” alias, you will need to resave the federation configuration to pick up the new certificate and update the standard metadata.August 8, 2018 at 11:53 am #22811
Hello Peter Major,
I have restarted the container. I haven’t replace the ‘test’ alias all I have done is added an entry within the keystore.jceks by importing ‘internalIdentity’.crt. The keystore now contains 11 entries instead of 10 default ones as expected however, the dropdown doesn’t pick this new alias when creating new Hosted Identity Provider.
But for existing IDP I can manually enter this new certificate alias to match the entry in the keystore.jceks and happily gets saved. But when I try to SSO flow again with this new signing certificate alias I get
libSAML2:07/20/2018 05:38:03:645 PM BST: Thread[http-apr-7778-exec-10,5,main]: TransactionId[8497c67d-2b9d-4538-ba0c-1885d002f17e-1020111]
ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.
com.sun.identity.saml2.common.SAML2Exception: Null input.
libSAML2:08/08/2018 10:14:22:207 AM BST: Thread[http-apr-7778-exec-3,5,main]: TransactionId[01719746-dc96-4a7b-9d80-6e76f265d9c6-9045]
ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: The private key was null.August 8, 2018 at 12:09 pm #22812
You should try to list the contents of the keystore, if your alias maps to a trustedCertificate instead of a privateKeyEntry, then that’s your problem.August 8, 2018 at 12:14 pm #22813
Yes, here is the list yes the alias is trustedCertificate instead of privateKeyEntry how shall I resovle this ?
es384test, 03-Feb-2017, PrivateKeyEntry,
selfserviceenctest, 18-Mar-2016, PrivateKeyEntry,
es256test, 03-Feb-2017, PrivateKeyEntry,
dsameuserpwd, 08-Aug-2018, SecretKeyEntry,
rsajwtsigningkey, 24-May-2016, PrivateKeyEntry,
directenctest, 23-May-2018, SecretKeyEntry,
selfservicesigntest, 23-May-2018, SecretKeyEntry,
test, 03-Apr-2018, PrivateKeyEntry,
configstorepwd, 08-Aug-2018, SecretKeyEntry,
identitykey, 07-Aug-2018, trustedCertEntryAugust 8, 2018 at 12:20 pm #22814
You must be logged in to reply to this topic.