Environment
Access Manager 4.4
Access Manager 4.5
Access Manager 4.5.1
Situation
- Access Manager has been configured as SAML2 IDP server
- The SAML2 Service Provider Metadata includes two signing Certificate where one of them is expired.
- The Service Provider does not get initialized / loaded at the IDP server with the following error:
<amLogEntry> SEVERE NIDS Application:AM#100105007:AMDEVICEID#5BD7DB57BD3EC3A0:AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02:Error verifying metadata certificates while loading trusted provider http://login.kgast.org /adfs/services/trust com.novell.nidp.NIDPException: Certification path could not be validated.Could not validate certificate: NotAfter: Sat Jan 14 14:23:34 CET 2017 Root Cause: java.security.cert.CertPathBuilderException: Certification path could not be validated.</amLogEntry> - SAML Authentication Requests fail with the error (catalina.out):
<amLogEntry> 2019-10-28T13:05:21Z WARNING NIDS SAML2: Entity Provider not found with the provider id as http://login.kgast.org/adfs/services/trust </amLogEntry>
Warning: Invalid resource key: Request was from an untrusted provider. No prefix!
Resolution
- This issue has been addressed to engineering
- As a workaround:
- edit the SAML2 SP metadata and remove the expired signing certificate entry
- re-import the modified metadata and apply the change
Additional Information
Troubleshooting:
- Enable the following IDP cluster Auditing and Logging options
- File Logging Enabled
- Echo To Console: checked
- Component File Logger Levels: Application, Liberty, SAML2
- stop the IDP Server and clear out the catalina.out: " > /opt/novell/nam/idp/logs/catalina.out"
- start the IDP Server and wait until it is up and running
- use: grep "trusted provider" /opt/novell/nam/idp/logs/catalina.out to review the catalina.out
<amLogEntry> 2019-11-06T11:35:39Z SEVERE NIDS Application: AM#100105007: AMDEVICEID#5BD7DB57BD3EC3A0: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02: Error verifying metadata certificates while loading trusted provider http://login.kgast.org/adfs/services/trust
<amLogEntry> 2019-11-06T11:35:40Z INFO NIDS Application: AM#500105038: AMDEVICEID#5BD7DB57BD3EC3A0: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02: Loaded trusted provider urn:federation:MicrosoftOnline of protocol SAML 2 </amLogEntry>
<amLogEntry> 2019-11-06T11:35:40Z INFO NIDS Application: AM#500105038: AMDEVICEID#5BD7DB57BD3EC3A0: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02: Loaded trusted provider https://dmuacademic.myprintdesk.net/DSF/asp11/ of protocol SAML 2 </amLogEntry>
<amLogEntry> 2019-11-06T11:35:40Z INFO NIDS Application: AM#500105038: AMDEVICEID#5BD7DB57BD3EC3A0: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02: Loaded trusted provider IDPCluster of protocol SAML 2 </amLogEntry>
- If there is no error make sure the SAML Authentication Request includes a valid entity ID (using a tool like SAML Tracer Plugin or fiddler)