HTTP ERROR 500 Problem accessing /sso/saml2/login. Reason: Server Error

Products

CA Infrastructure Management CA Infrastructure Management CA Performance Management - Usage and Administration CA Performance Management - Data Polling

Issue/Introduction

HTTP ERROR 500 Problem accessing /sso/saml2/login. Reason: Server Error Caused by: java.lang.RuntimeException: Unable to marshall the protocol message for request: [email protected] at common.saml2.MessageEncoder.generateRedirectURL(MessageEncoder.java:64) at common.saml2.AuthenticationRequest.generateRedirectURL(AuthenticationRequest.java:80) at common.sso.saml2.SAML2Login.saml2Login(SAML2Login.java:165) at common.sso.saml2.SAML2Login.doGet(SAML2Login.java:62) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:821) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1685) at com.ca.im.portal.common.web.security.RequestFilter.doFilter(RequestFilter.java:26) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1158) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1090) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119) at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:318) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119) at org.eclipse.jetty.server.Server.handle(Server.java:517) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:306) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:192) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572) at java.lang.Thread.run(Thread.java:748) Caused by: org.opensaml.ws.message.encoder.MessageEncodingException: The signing credential's algorithm URI could not be derived at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.getSignatureAlgorithmURI(HTTPRedirectDeflateEncoder.java:222) at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.buildRedirectURL(HTTPRedirectDeflateEncoder.java:187) at common.saml2.MessageEncoder.generateRedirectURL(MessageEncoder.java:57) ... 37 more Caused by: org.opensaml.ws.message.encoder.MessageEncodingException: The signing credential's algorithm URI could not be derived at

Cause

Currently, there can only be one certificate in the SAML2 keystore referenced from the saml2.properties file.

When listing the keystore you should only see one key pair.

Environment

CA Performance Mangement

Resolution

Make sure the SAML keystore only contains the one key pair.

The root and any intermediates are imported into the Java cacerts keystore per the documentation

Additional Information

https://docops.ca.com/ca-performance-management/3-6/en/administrating/single-sign-on/set-up-saml-2-0-support/how-to-set-up-saml-authentication/set-up-saml-certificates