Adobe Experience Manager Sites & More

Dear Colleagues,

We are facing following error when the user is authenticated on the IDP side and SAML Response is send back to AEM.

Just to clarify - AEM is installed on WebSphere 8.5.5.13 with SDK 1.8_64.

05.12.2018 11:18:41.011 *ERROR* [WebContainer : 4] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.

05.12.2018 11:18:41.012 *ERROR* [WebContainer : 4] com.adobe.granite.auth.saml.util.SamlReader Document root element "Response", must match DOCTYPE root "null".

05.12.2018 11:18:41.022 *ERROR* [WebContainer : 4] com.adobe.granite.auth.saml.util.SamlReader Failed validating signature.

javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException: No installed provider supports this key: com.rsa.cryptoj.o.eg

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565)

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)

at com.adobe.granite.auth.saml.util.SamlReader.verifySignatures(SamlReader.java:317)

at com.adobe.granite.auth.saml.util.SamlReader.parse(SamlReader.java:236)

at com.adobe.granite.auth.saml.util.SamlReader.read(SamlReader.java:119)

at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:97)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:738)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:441)

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)

at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)

at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)

at org.apache.felix.http.proxy.ProxyServlet.service(ProxyServlet.java:60)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)

at org.apache.sling.launchpad.base.webapp.SlingServletDelegate.service(SlingServletDelegate.java:286)

at org.apache.sling.launchpad.webapp.SlingServlet.service(SlingServlet.java:174)

at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1233)

at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:782)

at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:481)

at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)

at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1114)

at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87)

at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:949)

at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)

at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)

at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)

at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)

at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)

at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287)

at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)

at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)

at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)

at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)

at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205)

at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892)

Caused by: java.security.InvalidKeyException: No installed provider supports this key: com.rsa.cryptoj.o.eg

at java.security.Signature$Delegate.chooseProvider(Signature.java:1141)

at java.security.Signature$Delegate.engineInitVerify(Signature.java:1174)

at java.security.Signature.initVerify(Signature.java:463)

at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:220)

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:562)

... 41 common frames omitted

05.12.2018 11:18:41.029 *DEBUG* [WebContainer : 4] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.

Any idea? Wrong certificate from IDP side or maybe it is matter missing java libraries on WebSphere?