Brett, Thanks for opening a new ticket. So, it's all about Certificate, I am sure. BTW, do you get login screen of your Gluu Server after you initiate the SSO flow from SP?

regardless of whether logged into Gluu or not, we only get this after post to Gluu 

I updated the idp-metadata and references to files from idp.properties to reference the shibIDP.crt file / contents. I still get the same error.

Alright. Let's try to configure Relying Party ( SAML2SSO ) for this trust in your Gluu Server. I am attaching a screenshot of SAML2SSO profile values as well.

>> I updated the idp-metadata and references to files from idp.properties to reference the shibIDP.crt file / contents. I still get the same error. I am exactly not sure where this 'idp.properties' file is, but please don't modify any configuration in Gluu Server; it might make things worse.

I disabled the `conditional` for `encryptAssertions` that was previously checked. Am getting the same error after IDP reloaded the updated config. Am not sure if posting the decoded AuthnRequest would help? ``` <?xml version="1.0" encoding="UTF-8"?> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="REDACTED-shows-sso-signonURL" Destination="https://my-idp/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="_e23c37e4a0606823f004b051e871cbb" IsPassive="false" IssueInstant="2017-06-14T13:26:22.966Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="pac4j-saml" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:advisorpro</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_e23c37e4a0606823f004b051e871cbb"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>REDACTED</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>REDACTED</ds:SignatureValue> <ds:KeyInfo> <ds:KeyValue> <ds:RSAKeyValue> <ds:Modulus>REDACTED</ds:Modulus> <ds:Exponent>REDACTED</ds:Exponent> </ds:RSAKeyValue> </ds:KeyValue> </ds:KeyInfo> </ds:Signature> </saml2p:AuthnRequest> ```

Properties are set in `/opt/shibboleth-idp/conf/idp.properties` - this file is parsed by Jetty during start up to set jvm properties that shibboleth IDP uses. I changed the value of `idp.signing.key` and `idp.signing.cert` from `idp-signing` to `shibIDP`. I can revert these 2 config changes back and restart the IDP service if need be.

Yes, please don't change anything in Gluu Server. Let's keep them as they are ( other than metadata-provider.xml.vm ). I think I'll share a video tutorial with you where we will configure a Shibboleth SP instance and connect that with Gluu Server, it might be helpful.

Ok - so to rule out unknowns, I installed shib SP and am able to test the SAML flow with the Gluu installation and ensure I am working with the correct keys and certificates in the right places. https://gluu.org/docs/ce/integration/saml-sp/ was a great help to get this up relatively quickly. We'll work through our webapp's SP implementation, I suspect there might be issues with it, even though we were using the correct metadata earlier. Many thanks for your patience and assistance so far.

Very nice!!!