Unable to do sso or federation

This topic contains 3 replies, has 2 voices, and was last updated by  Peter Major 3 months, 1 week ago.

  • Author
    Posts
  • #25770
     smmellac 
    Participant

    Below is the error. The keystore has privatekey entry for the cert and correct alias in the server defaults. Any thoughts on what the disconnect is?

    ERROR: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    libSAML2:05/09/2019 05:45:30:333 PM UTC: Thread[https-jsse-nio-8443-exec-9,5,main]: TransactionId[608a518f-58ce-4c58-9bc1-1342e4603a0d-129]
    ERROR: FMSigProvider.sign: The private key was null.
    libSAML2:05/09/2019 05:45:30:333 PM UTC: Thread[https-jsse-nio-8443-exec-9,5,main]: TransactionId[608a518f-58ce-4c58-9bc1-1342e4603a0d-129]
    ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: The private key was null.
    at com.sun.identity.saml2.xmlsig.FMSigProvider.sign(FMSigProvider.java:142)
    at com.sun.identity.saml2.assertion.impl.AssertionImpl.sign(AssertionImpl.java:691)
    at com.sun.identity.saml2.profile.IDPSSOUtil.signAssertion(IDPSSOUtil.java:2500)
    at com.sun.identity.saml2.profile.IDPSSOUtil.signAndEncryptResponseComponents(IDPSSOUtil.java:2576)
    at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponse(IDPSSOUtil.java:730)
    at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:524)
    at org.forgerock.openam.saml2.UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache(UtilProxySAMLAuthenticatorLookup.java:161)
    at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:242)
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:144)
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:104)
    at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:195)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)

    #25771
     Peter Major 
    Moderator

    The keystore password may be wrong, or the private key’s password is incorrect.

    #25776
     smmellac 
    Participant

    Validated that the keystore password is correct. The privaet key we are using is based on our company signed cert, which looks good. I am wondering if any certs that come with the keystore are referenced somewhere

    es384test
    es512test
    es256test
    selfserviceenctest
    test

    Any thoughts on this?

    #25777
     Peter Major 
    Moderator

    Is the private key entry password protected? Is it the correct password?

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?