How to configure PicketLink Federation with Signature where SP and IDP have different keystores?

Solution Verified - Updated -

Issue

  • How to configure PicketLink Federation with Signature where SP and IDP have different keystores?
  • When configuring PicketLink Federation with Signature having different keystores for IDP and SP, the following issue occurs:-
13:53:26,038 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-1) Exception in processing request:: org.picketlink.common.exceptions.ProcessingException: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.constructSignatureException(SAML2SignatureValidationHandler.java:157) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:104) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:52) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:857) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java:427) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    ...
Caused by: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed
    at org.picketlink.common.DefaultPicketLinkLogger.samlHandlerSignatureValidationFailed(DefaultPicketLinkLogger.java:1578)
    ... 15 more

13:53:26,217 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-1) Service Provider could not handle the request.: java.lang.IllegalArgumentException: PL00092: Null Value:No assertions in reply from IDP
    at org.picketlink.common.DefaultPicketLinkLogger.samlHandlerNoAssertionFromIDP(DefaultPicketLinkLogger.java:1411)
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:424) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    ...
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_17]

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.3.x
    • 6.4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In