AEM 6.2 - Issue with SAML integration

Dear Colleagues,

We are facing following error when the user is authenticated on the IDP side and SAML Response is send back to AEM.

Just to clarify - AEM is installed on WebSphere 8.5.5.13 with SDK 1.8_64.

05.12.2018 11:18:41.011 *ERROR* [WebContainer : 4] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.

05.12.2018 11:18:41.012 *ERROR* [WebContainer : 4] com.adobe.granite.auth.saml.util.SamlReader Document root element "Response", must match DOCTYPE root "null".

05.12.2018 11:18:41.022 *ERROR* [WebContainer : 4] com.adobe.granite.auth.saml.util.SamlReader Failed validating signature.

javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException: No installed provider supports this key: com.rsa.cryptoj.o.eg

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565)

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)

at com.adobe.granite.auth.saml.util.SamlReader.verifySignatures(SamlReader.java:317)

at com.adobe.granite.auth.saml.util.SamlReader.parse(SamlReader.java:236)

at com.adobe.granite.auth.saml.util.SamlReader.read(SamlReader.java:119)

at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:97)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:738)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:441)

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)

at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)

at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)

at org.apache.felix.http.proxy.ProxyServlet.service(ProxyServlet.java:60)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)

at org.apache.sling.launchpad.base.webapp.SlingServletDelegate.service(SlingServletDelegate.java:286)

at org.apache.sling.launchpad.webapp.SlingServlet.service(SlingServlet.java:174)

at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1233)

at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:782)

at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:481)

at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)

at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1114)

at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87)

at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:949)

at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)

at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)

at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)

at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)

at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)

at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287)

at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)

at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)

at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)

at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)

at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205)

at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892)

Caused by: java.security.InvalidKeyException: No installed provider supports this key: com.rsa.cryptoj.o.eg

at java.security.Signature$Delegate.chooseProvider(Signature.java:1141)

at java.security.Signature$Delegate.engineInitVerify(Signature.java:1174)

at java.security.Signature.initVerify(Signature.java:463)

at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:220)

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:562)

... 41 common frames omitted

05.12.2018 11:18:41.029 *DEBUG* [WebContainer : 4] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.

Any idea? Wrong certificate from IDP side or maybe it is matter missing java libraries on WebSphere?