Primary certificate serial number or issuer dn is empty or null
search cancel

Primary certificate serial number or issuer dn is empty or null


Article ID: 261391


Updated On:




SP is sending Signed AuthnRequest and IDP is throwing HTTP 500 while trying to generate SAMLResponse.


Release : 12.8.06


"Primary certificate serial number or issuer dn is empty or null" error message appears while trying to generate SAML2Response.

This error indicates there is a problem with the Signature Verification certificate (not the Signing one).

Regardless of whether the IDP side has partnership configuration to say "Require Signed Authentication Requests" set to "Yes" or "No", if a Signed SAMLRequest is received then the Policy Server will look for a verification certificate for signature verification.

In the above sample, there is a "Verification Certificate Alias" defined (which is the Primary certificate) so that will lead Policy Server to load the certificate to perform signature verification.

This is by design.

"Required Signed Authentication" set to "No" only means the SP does not need to sign the SAMLRequest. But if signed then Policy Server must verify it.


In the current use case, the SP has sent a Signed SAMLRequest but the IDP side partnership configuration does not have a Primary Certificate defined.

As a result, Policy Server finds there is no Primary Certificate to verify the signature the SAML2Response process fails and HTTP 500 is returned.

smps.log reports the Configuration Error.

[4428/5868][Fri Mar 03 2023 18:07:10.410][][ERROR][sm-FedServer-00080] preProcess() returns fatal error. 
<ns5:Response xmlns:ns5="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="" xmlns:ns3="" xmlns="" ID="_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" InResponseTo="_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" Version="2.0" IssueInstant="2023-03-03T10:07:10.410Z">
    <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.demo.lab</ns2:Issuer>
        <ns5:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
        <ns5:StatusMessage>Configuration error.</ns5:StatusMessage>



If there is a possibility that the SP may send signed SAMLRequest then the IDP must be configured to verify the signature.