HTTP ERROR 500 Problem accessing /sso/saml2/login. Reason: Server Error Caused by: java.lang.RuntimeException: Unable to marshall the protocol message for request: [email protected] at common.saml2.MessageEncoder.generateRedirectURL(MessageEncoder.java:64) at common.saml2.AuthenticationRequest.generateRedirectURL(AuthenticationRequest.java:80) at common.sso.saml2.SAML2Login.saml2Login(SAML2Login.java:165) at common.sso.saml2.SAML2Login.doGet(SAML2Login.java:62) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:821) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1685) at com.ca.im.portal.common.web.security.RequestFilter.doFilter(RequestFilter.java:26) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1158) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1090) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119) at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:318) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119) at org.eclipse.jetty.server.Server.handle(Server.java:517) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:306) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:192) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572) at java.lang.Thread.run(Thread.java:748) Caused by: org.opensaml.ws.message.encoder.MessageEncodingException: The signing credential's algorithm URI could not be derived at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.getSignatureAlgorithmURI(HTTPRedirectDeflateEncoder.java:222) at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.buildRedirectURL(HTTPRedirectDeflateEncoder.java:187) at common.saml2.MessageEncoder.generateRedirectURL(MessageEncoder.java:57) ... 37 more Caused by: org.opensaml.ws.message.encoder.MessageEncodingException: The signing credential's algorithm URI could not be derived at

Currently, there can only be one certificate in the SAML2 keystore referenced from the saml2.properties file.

When listing the keystore you should only see one key pair.

CA Performance Mangement

Make sure the SAML keystore only contains the one key pair.

The root and any intermediates are imported into the Java cacerts keystore per the documentation

https://docops.ca.com/ca-performance-management/3-6/en/administrating/single-sign-on/set-up-saml-2-0-support/how-to-set-up-saml-authentication/set-up-saml-certificates