ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Signature trust establishment failed for metadata entry for SAML (SSO) authentication

book

Article ID: 237327

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

When attempting to implement SAML authentication (SSO) for DLP, the DLP localhost log shows the following error

Signature trust establishment failed for metadata entry [Server Name]

The console with show an "unauthorized" error when trying to log in.

Resolution

One of two things is happening here.  
1) The signing certificate from the Identity Provider (IdP) wasn't added to the DLP samlkeystore.  Extract it from the idp-metadata.xml.  Its found under the keysdescriptor for "signing".  See below

                <KeyDescriptor use="signing">
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                <X509Data>
                                        <X509Certificate>MIIC7jCCAdagAwIBAgIQfT6aKYM+VrNCOxNe1cUjQjANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSByZW50ZXN0MDA3MzQ3LlRob21zb24ubGFiMB4XDTIyMDMwODE3NDAyOFoXDTIzMDMwODE3NDAyOFowMzExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gcmVudGVzdDAwNzM0Ny5UaG9tc29uLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9nQK3ysm+NY4DUfrxgKNa0QJls5gbyxNmBigIkm2IO5jyNDvUzMPQSTummYngxDuovTnUWsCRtoaW+PM83tffD7zHT9kmvemIDJv+Fq5XLlkcCVnJrMPSYmiVjnayMHCqs9YOOaC/GApkJlWLlUh6CiNrUefNv+YDjbLQqOZ3RtOWVk2HOWSTGb1rLxLIxjoGwNIDiAMC5ACinig3rSfmggrFFl9Hjcflo9lAcglmOLmqvF5yL4ao2nBrewVabqX1gGuAQ4MKlqPYQON0azHfBiSSg93Hwi0vD1UpE72TLS2S/W3HA0Oxxvj6+2wmDfz4AGSn16Q2WuGSSEYGz7R0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAi2QBIREZPFG/VXIX+jiGJI5ulL8qOlbr1FvIYSSw8tUVlx3JlvlwQu6vJVsHThO5AuZHGNXviCoTh8ABxfCFB41oDoz12rHVM7JuDFyL2iHwlizpRkK2O5GXKXLvLCPZxz3+zA60C4eEoaIgDlrsMaaKrWzd7S9za0sWChuPGRMij4Yae6W3fxpzZEf5UzFq8ExqAczdnvqpsAnfcHmjpuJvnIF0cdP1wwTL3LZSpdlCKn6omHh/yMR8+HHOT8c27SyXynQJHu9p3eVtoRa5V/9VxUBFGXr0g3KCv1icb52TyD3aBaeDIMpugzzM7PFZ16hDVGjiYMXjfQWOtJk5lw==</X509Certificate>
                                </X509Data>
                        </KeyInfo>
                </KeyDescriptor>

Copy that to a txt document as follows and save it as a .crt file then import it to the saml keystore


-----BEGIN CERTIFICATE-----
MIIC7jCCAdagAwIBAgIQfT6aKYM+VrNCOxNe1cUjQjANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSByZW50ZXN0MDA3MzQ3LlRob21zb24ubGFiMB4XDTIyMDMwODE3NDAyOFoXDTIzMDMwODE3NDAyOFowMzExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gcmVudGVzdDAwNzM0Ny5UaG9tc29uLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9nQK3ysm+NY4DUfrxgKNa0QJls5gbyxNmBigIkm2IO5jyNDvUzMPQSTummYngxDuovTnUWsCRtoaW+PM83tffD7zHT9kmvemIDJv+Fq5XLlkcCVnJrMPSYmiVjnayMHCqs9YOOaC/GApkJlWLlUh6CiNrUefNv+YDjbLQqOZ3RtOWVk2HOWSTGb1rLxLIxjoGwNIDiAMC5ACinig3rSfmggrFFl9Hjcflo9lAcglmOLmqvF5yL4ao2nBrewVabqX1gGuAQ4MKlqPYQON0azHfBiSSg93Hwi0vD1UpE72TLS2S/W3HA0Oxxvj6+2wmDfz4AGSn16Q2WuGSSEYGz7R0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAi2QBIREZPFG/VXIX+jiGJI5ulL8qOlbr1FvIYSSw8tUVlx3JlvlwQu6vJVsHThO5AuZHGNXviCoTh8ABxfCFB41oDoz12rHVM7JuDFyL2iHwlizpRkK2O5GXKXLvLCPZxz3+zA60C4eEoaIgDlrsMaaKrWzd7S9za0sWChuPGRMij4Yae6W3fxpzZEf5UzFq8ExqAczdnvqpsAnfcHmjpuJvnIF0cdP1wwTL3LZSpdlCKn6omHh/yMR8+HHOT8c27SyXynQJHu9p3eVtoRa5V/9VxUBFGXr0g3KCv1icb52TyD3aBaeDIMpugzzM7PFZ16hDVGjiYMXjfQWOtJk5lw==
-----END CERTIFICATE-----


The command to import it will look similar to the following


keytool -import -alias signing_cert -keystore samlkeystore.jks -file signing_cert.crt -storepass protect

2) The idp-metadata has the wrong asertion URL for what the signing cert was created for.  DLP does do sslHostnameVerification in our implementation of spring and cannot presently be disabled for SSO.  Update the IdP metadata in DLP to reflect the correct certificate domain or update the IdP certificate with the correct domain.