Solved

No installed provider supports this key: com.rsa.cryptoj.o.eg error during SAML authentication

Forum|Forum|7 years ago
March 14, 2018
10 replies
10646 views

We have setup the SAML authentication handler in our AEM instance. We have followed the following link:

We are getting the login screen of IDP and after login, i am getting redirected to http://<server>/libs/granite/core/content/login.error.html?j_reason=invalid_token

following is the error which is coming in the log:

14.03.2018 03:01:59.223 *ERROR* [qtp-1211009574-2288] com.adobe.granite.auth.saml.util.SamlReader Failed validating signature.

javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException: No installed provider supports this key: com.rsa.cryptoj.o.eg

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565)

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)

at com.adobe.granite.auth.saml.util.SamlReader.verifySignatures(SamlReader.java:317)

at com.adobe.granite.auth.saml.util.SamlReader.parse(SamlReader.java:236)

at com.adobe.granite.auth.saml.util.SamlReader.read(SamlReader.java:119)

at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:108)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:759)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:457)

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:76)

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:732)

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:480)

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460)

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:131)

at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:81)

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:128)

at org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

at org

Let me know if i need to install any jar under java/jre/lib/security to make the authentication sucessful

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by Peter_Puzanovs

Hi,

There are no issues here with Adobe code,

Problem seems to be with Java JDK system.

You should be able to reproduce this issue solely on JVM with your certificates(keys) without Adobe code.

Depending on the JVM you use you might need to add additional extensions to handle: com.rsa.cryptoj.o.eg

Regards,

Peter

kautuk_sahni

Community Manager

Veena_07 Any help here?

Kautuk Sahni

smacdonald2008

Level 10

See our new end to end SAML Article that shows a real world example -- Integrating SAML with Adobe Experience Manager

N

ngupta45

The IdP certificate is not a valid one as the SAML Auth Handler is trying to validate the SAML Response against the certificate added into the AEM trust store.

Please correct the certificate and you should not see this issue.

same can be seen the API as well

private boolean verifySignatures(Element parentElement, Element signedElement, Key publicKey)

{

if (publicKey != null)

{

NodeList signatureNodes = signedElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

if (signatureNodes.getLength() == 0)

{

this.log.warn("Received SAML message without signature element.");

return false;

}

for (int j = 0; j < signatureNodes.getLength(); j++) {

try

{

DOMValidateContext valContext = new DOMValidateContext(publicKey, signatureNodes.item(j));

valContext.setIdAttributeNS(signedElement, null, "ID");

valContext.setIdAttributeNS(parentElement, null, "ID");

String providerName = System.getProperty("jsr105Provider", "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");

XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM", (Provider)Class.forName(providerName).newInstance());

XMLSignature signature = sigFactory.unmarshalXMLSignature(valContext);

if (!signature.validate(valContext)) {

return false;

}

catch (MarshalException e)

{

this.log.error("Could not unmarshal XML signature.", e);

return false;

}

catch (XMLSignatureException e)

{

this.log.error("Failed validating signature.", e);

return false;

}

catch (ClassNotFoundException e)

{

this.log.error("Failed obtaining the signature provider: ", e);

return false;

}

catch (InstantiationException e)

{

this.log.error("Failed obtaining the signature provider: ", e);

return false;

}

catch (IllegalAccessException e)

{

this.log.error("Failed obtaining the signature provider: ", e);

return false;

}

else

{

this.log.warn("Could not verify signatures. Public key of IdP not provided.");

return false;

}

return true;

}

As you can see it is trying to validate against IdP certificate which is causing the error.

P

priyankag705219Author

what i understand is error is while validating the signature only. for me it seems to be some JDK related issue. I have cross checked the certifcate and it is correct only.

14.03.2018 03:01:59.223 *ERROR* [qtp-1211009574-2288] com.adobe.granite.auth.saml.util.SamlReader Failed validating signature.
javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException: No installed provider supports this key: com.rsa.cryptoj.o.eg
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565)

N

ngupta45

I do not believe this is a jar issue. I think the encryption used by the IdP is different from the one provided to you.

https://examples.javacodegeeks.com/core-java/security/invalidkeyexception/java-security-invalidkeyexception-how-to-solve…

Again this is also a hunch as I am not exactly sure why this is happening.

P

priyankag705219Author

I tried updating local_policy.jar and US_export_policy.jar jars also but no luck. I am still getting the same exception.

VeenaVikraman

Community Advisor

No kautuksahni I have not worked with SAML . I am sorry for not being much help here

Peter_Puzanovs

Accepted solution

Community Advisor

Hi,

There are no issues here with Adobe code,

Problem seems to be with Java JDK system.

You should be able to reproduce this issue solely on JVM with your certificates(keys) without Adobe code.

Depending on the JVM you use you might need to add additional extensions to handle: com.rsa.cryptoj.o.eg

Regards,

Peter

smacdonald2008

Level 10

There is a lot of useful information here. Can you please close off this thread.

N

ngupta45

again, this would be the issue with the encryption used by the IdP to sign the assertion. I would recommend, you ask the IdP about which encryption they are using.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded