Certificate decode error on sso

By: Marco Weiss user 03 Mar 2018 at 11:24 a.m. CST

7 Responses
Marco Weiss gravatar
Hi all, i have setup a gluu IDP on SAML to connect a OpenEDX. As a followed the documentation and did a successful test with testshib. But by logging in with OpenEDX i get an error on gluu's page An error occurred: ActionExecutionException And i see in the logs that gluu has problems by decoding a certificat.. ==> /opt/shibboleth-idp/logs/idp-process.log <== 2018-03-03 18:07:10,780 - ERROR [org.springframework.webflow.execution.ActionExecutionException:76] - org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters@10c06c17 in state 'OutboundContextsAndSecurityParameters' of flow 'SAML2/Redirect/SSO' -- action execution attributes were 'map[[empty]]' at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) Caused by: org.cryptacular.EncodingException: Cannot decode certificate at org.cryptacular.util.CertUtil.readCertificate(CertUtil.java:258) Caused by: java.security.cert.CertificateParsingException: signed fields invalid at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1791) ==> /opt/shibboleth-idp/logs/idp-warn.log <== 2018-03-03 18:07:10,780 - ERROR [org.springframework.webflow.execution.ActionExecutionException:76] - org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters@10c06c17 in state 'OutboundContextsAndSecurityParameters' of flow 'SAML2/Redirect/SSO' -- action execution attributes were 'map[[empty]]' at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) Caused by: org.cryptacular.EncodingException: Cannot decode certificate at org.cryptacular.util.CertUtil.readCertificate(CertUtil.java:258) Caused by: java.security.cert.CertificateParsingException: signed fields invalid at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1791)
CentOS 7.4
closed

Answers

By Mohib Zico staff 03 Mar 2018 at 10:44 p.m. CST

Copy
Mohib Zico gravatar
Hello Marco, I would check two things... - Required attributes from OpenEDX. - Double check certificate inside OpenEDX metadata.

By Marco Weiss user 07 Mar 2018 at 2:29 a.m. CST

Copy
Marco Weiss gravatar
Hi Mohib, in the meanwhile thing had changed. I did another post for another issue but now this post here and the other one https://support.gluu.org/single-sign-on/5183/certificate-decode-error-on-sso/#at30708 are running in the same direction. So maybe you can look through the other post where i told that, for whatever reason, the error is gone away over the weekend ... But no i'm getting an other error ... like i wrote in the other post. Authentication failed: SAML login failed: ['invalid_response'] (There is no AttributeStatement on the Response) For no further duplication, i think it is better you could follow the other post? Marco

By Mohib Zico staff 07 Mar 2018 at 4:06 a.m. CST

Copy
Mohib Zico gravatar
Marco, Which other post you are mentioning?

By Marco Weiss user 07 Mar 2018 at 7:25 a.m. CST

Copy
Marco Weiss gravatar
Sorry copied the wrong link here it is https://support.gluu.org/single-sign-on/5155/shibboleth-503-on-restart-new-instance/#at30707

By Mohib Zico staff 07 Mar 2018 at 1:01 p.m. CST

Copy
Mohib Zico gravatar
No problem at all. Yes .. it's better to create a new ticket for `invalid response`. So.. we will have fresh data on one issue at a time.

By Marco Weiss user 08 Mar 2018 at 1:41 a.m. CST

Copy
Marco Weiss gravatar
Hi mohib, did open a ticket for that and here the link for others came across that topic https://support.gluu.org/single-sign-on/5199/saml-login-failed-wiht-invalid_response-and-there-is-no-attributestatement-on-the-response/

By Mohib Zico staff 08 Mar 2018 at 2:18 a.m. CST

Copy
Mohib Zico gravatar
Thanks. Assigning this to one Engineer to help you out.

Post an answer