How to configure PicketLink Federation with Signature where SP and IDP have different keystores?

Solution Verified - Updated -

Issue

  • How to configure PicketLink Federation with Signature where SP and IDP have different keystores?
  • When configuring PicketLink Federation with Signature having different keystores for IDP and SP, the following issue occurs:-
13:53:26,038 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-1) Exception in processing request:: org.picketlink.common.exceptions.ProcessingException: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.constructSignatureException(SAML2SignatureValidationHandler.java:157) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:104) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:52) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:857) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java:427) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    ...
Caused by: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed
    at org.picketlink.common.DefaultPicketLinkLogger.samlHandlerSignatureValidationFailed(DefaultPicketLinkLogger.java:1578)
    ... 15 more

13:53:26,217 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-1) Service Provider could not handle the request.: java.lang.IllegalArgumentException: PL00092: Null Value:No assertions in reply from IDP
    at org.picketlink.common.DefaultPicketLinkLogger.samlHandlerNoAssertionFromIDP(DefaultPicketLinkLogger.java:1411)
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:424) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    ...
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_17]

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.3.x
    • 6.4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content