January 18, 2017 at 8:45 pm #15410
I’m looking for a solution and perhaps you have it. I configured OpenAM as a hosted SP with adfs on a remote machine as a IDP (remote IDP).
I followed the steps in this guide :
and still when I try to login (idp\sp initiated) I get an exception from openAM –
ERROR: SAML2 :: process() : Authentication Error
com.sun.identity.saml2.common.SAML2Exception: Null input. at com.sun.identity.saml2.common.QuerySignatureUtil.sign(QuerySignatureUtil.java:84)…..
Any thoughts ?
Thank you allJanuary 19, 2017 at 2:52 am #15415Scott HegerParticipant
Kick up your debug level to Message and try again. That will log more information to the Federation debug log which will help resolve faster.January 19, 2017 at 9:17 am #15422
My logs are on msg but still this is the only msg that appear in the logs.January 19, 2017 at 2:43 pm #15436
Null input error message means that the private key is missing for the querystring signature. Most likely you have configured a non-existent private key alias for signatures on the hosted SP setting, or you have provided incorrect password to the keystore or the private key.January 19, 2017 at 3:27 pm #15439
I configured it with a certificate of openAM machine (sha2) in the openam keystore. Is it taking the private key from there ?
Where does it take the private key from ?January 19, 2017 at 3:56 pm #15441
The keystore file is the one defined under Configuration – Servers and Sites – Default Server Settings – Security – Keystore File. In XUI the path would be Configuration – Server Defaults – Security – Key Store.January 19, 2017 at 3:59 pm #15442
I know. The question is where the private key is taking from ? If the same certificate has been placed everywhere – what can be the reason the privatekey is missing or wrong ?January 19, 2017 at 4:04 pm #15443
The private key is obtained from the Keystore. You should make sure that your Keystore contains a PrivateKeyEntry and not a trustedCertEntry. You can run the following command:
keytool -list -keystore openam/openam/keystore.jks
keytool -list -keystore openam/openam/keystore.jceks -storetype JCEKSJanuary 19, 2017 at 6:13 pm #15447
Thank you for your advise! I inserted the key as a PrivateKeyEntry and configure my sp in the openam to use it for signing ( I have nothing in encryption ). I keep getting this error:
SPSSOFederate: certAlias :1
libSAML:01/19/2017 06:58:49:277 PM IST: Thread[http-apr-29303-exec-7,5,main]: TransactionId[a408138f-551e-4773-90fc-ca6af112824e-530]
ERROR: Cannot recover key
libSAML2:01/19/2017 06:58:49:278 PM IST: Thread[http-apr-29303-exec-7,5,main]: TransactionId[a408138f-551e-4773-90fc-ca6af112824e-530]
ERROR: QuerySignatureUtil.sign: Either input query string or private key is null.
amAuthSAML2:01/19/2017 06:58:49:278 PM IST: Thread[http-apr-29303-exec-7,5,main]: TransactionId[a408138f-551e-4773-90fc-ca6af112824e-530]
Any thoughts ?January 19, 2017 at 7:49 pm #15449
Cannot recover key: passwords are wrong…
You could try to use a tool like portecle to manage your keystore.
You must be logged in to reply to this topic.