oxAuth does not have certificates... it uses bare keys. So they don't expire. What makes you think the certificate has expired?

The I auth log said the items in the oxauth-keys.jks expired and could not be used, I found a reference to this being something that happened every year in 4.0. Is this no longer true in 4.1.1? I’ll roll back and get you the exact error text.

Here is the message i had in the oxauth logs. The situation with the server is that i can login, but all of our trust except the open ID one fails to login. A saml tracer shows that no infomation is being passed to the SP.

2021-07-27 23:54:42,816 ERROR [qtp1590550415-10264024] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:634) - Failed to get attributes from session 2021-07-27 23:57:13,997 WARN [qtp1590550415-10264104] [org.gluu.oxauth.model.crypto.AbstractCryptoProvider] (AbstractCryptoProvider.java:250) - WARNING! Key with alias: 0e8cc3d5-d366-43d6-a899-d7e18b7ebbdf_sig_rs256 Expires In: 1 days Expires On: 2021-07-29 01:53:56 Key Regeneration In: 2 days Today's Date: 2021-07-27 23:57:13

@Mobarak Hosen.Shakil can you take a look at this and make sure how to deal with this is addressed in the Gluu docs?

The key 0e8cc3d5-d366-43d6-a899-d7e18b7ebbdf_sig_rs256 exsists in the oxauth-keys.jks and only the oxauth log saw the error, so it was my assumption that the keys had expired.

I have returned to my original oxauth-keys.jks and the LDAP settings to match it. I have deactivated and reactivated my test trust since previously i was not able to get any attributes to show up inside the request sent to that trust. I am still able to login via a request for openID, but when i use a link that requests a SAML login for tableau (local network service) or several of the external vendors services. The SAML responses seem well formed, with a audience and dates, but no attributes sent even though there are attributes assigned to the trust.

BTW, did you check the docs regarding generating cryptographic keys?

OK, so i do need to renew the keys? Assuming that i do update the oxauth-keys.jks according to the instructions you have sent, do i need to update the LDAP information to match similar to the 4.0 instructions or is updating the oxauth-keys.jks by itself enough?

I'm not sure. I assigned the ticket to @Mobarak Hosen.Shakil. There is no SLA on community support. He'll look into it. If you need priority support, you should look into getting a VIP support contract.

Thank you for the info, I was more trying to understand if you were asking a question or telling me that the document was the answer.

Hi Rhett Prichard,

I will look into it and will get back to you.

Thanks & Regards ~ Shakil

@Michael how do i find out about a VIP support contract? Can i pay for a one time issue to be helped or is it only a subscription?

Spoke to Rhett - having trouble pinpointing the cause of the error. referred him to a partner . who will reach out as School starts in a couple weeks. - Rhett needs a way to consolidate the logs and determine cause- Issue started after reboot of service.