When attempting to implement SAML authentication (SSO) for DLP, the DLP localhost log shows the following error:
Signature trust establishment failed for metadata entry [Server Name]
The console with show an "unauthorized" error when trying to log in.
One of two things is happening here:
1) The signing certificate from the Identity Provider (IDP) wasn't added to the DLP samlkeystore.
See below <SNIPPED DATA> for location
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate><SNIPPED DATA>
</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
In some cases its also been noted that you need to add the signing cert to java's "cacerts" keystore.
-----BEGIN CERTIFICATE-----
MII.....tJk5lw==
-----END CERTIFICATE-----
The command to import it will look similar to the following:
keytool -import -alias signing_cert -keystore samlkeystore.jks -file signing_cert.crt -storepass protect
2) The idp-metadata has the wrong asertion URL for what the signing cert was created for. DLP does do sslHostnameVerification in our implementation of spring and cannot presently be disabled for SSO. Update the IdP metadata in DLP to reflect the correct certificate domain or update the IdP certificate with the correct domain.
3) Some IdP providers generate two types of metadata files: generic and application-specific. For DLP purposes please use application-specific.