SAML HTTP 500 error / login fails
search cancel

SAML HTTP 500 error / login fails

book

Article ID: 387397

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

SAML configuration is in place but the login fails with the HTTP 500 error.

Environment

DX NetOps Spectrum

Cause

2025-01-27 14:13:08,692 [https-jsse-nio-8081-exec-10] WARN  org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator - SAML Response is not trusted
2025-01-27 14:13:08,692 [https-jsse-nio-8081-exec-10] DEBUG org.apache.cxf.fediz.core.processor.SAMLProcessorImpl - The security token could not be authenticated or authorized
org.apache.wss4j.common.ext.WSSecurityException: The security token could not be authenticated or authorized
        at org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator.validateResponseSignature(SAMLProtocolResponseValidator.java:236) ~[fediz-core-1.4.5.jar:1.4.5]
      ...
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.83]
        at java.lang.Thread.run(Thread.java:829) ~[?:?]
2025-01-27 14:13:08,699 [https-jsse-nio-8081-exec-10] ERROR com.aprisma.spectrum.app.sso.saml2.SamlTomcatSigninHandler - The request was invalid or malformed
org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
 
 
 
Wrong certificate imported or no certificate imported so Spectrum cannot trust it.

Resolution

Enable the debug:
  • Spectrum 23.3.4 and above
  • Linux and Window
  • Open Spectrum\tomcat\classes\log4j2.xml
  • Update following
    • <Logger name="com.aprisma.tomcat" level="debug"></Logger>
    • <Logger name="org.apache.catalina.authenticator" level="debug"></Logger>
  • and Add following
    • <Logger name="org.apache.cxf.fediz" level="debug"></Logger>
  • Restart not required

 

 

and check catalina.out / stdout for this block of events:

 

2025-01-28 17:10:04,703 [https-jsse-nio-8081-exec-2] DEBUG com.aprisma.tomcat.authenticator.Saml2FederationAuthenticator - reading configuration for context path: /spectrum

2025-01-28 17:10:04,704 [https-jsse-nio-8081-exec-2] INFO  org.apache.cxf.fediz.core.processor.SAMLProcessorImpl - Issuer url: https://idp/saml

2025-01-28 17:10:04,710 [https-jsse-nio-8081-exec-2] DEBUG org.apache.cxf.fediz.core.processor.SAMLProcessorImpl - automatic sig algo detection: RSA

2025-01-28 17:10:04,710 [https-jsse-nio-8081-exec-2] DEBUG org.apache.cxf.fediz.core.processor.SAMLProcessorImpl - Using Signature algorithm http://www.xxxxxxxxxxx/

2025-01-28 17:10:04,713 [https-jsse-nio-8081-exec-2] DEBUG org.apache.catalina.authenticator.FormAuthenticator - Save request in session '09.....................................................................................................8AA'

2025-01-28 17:10:04,714 [https-jsse-nio-8081-exec-2] DEBUG org.apache.cxf.fediz.core.handler.SigninHandler - Sign-In-Response received

2025-01-28 17:10:04,714 [https-jsse-nio-8081-exec-2] DEBUG org.apache.cxf.fediz.core.handler.SigninHandler - Validating RSTR...

2025-01-28 17:10:04,718 [https-jsse-nio-8081-exec-2] DEBUG org.apache.cxf.fediz.core.processor.SAMLProcessorImpl - Received response:
<samlp:Response Destination="https://HOST:8081/spectrum/" ID="ID_e3b1735f-401f-4ee9-a0e7-c9ff15352796" InResponseTo="_4def541a-118a-4410-8741-4e23420ca84b" IssueInstant="2025-01-28T16:03:53.623Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer>https://idp/saml:Issuer><dsig:Signature xmlns:dsig="http://www.XY.org/2000/09/xmldsig#"><dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.XY.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.XY.org/2001/04/xmldsig-more#rsa-sha256"/><dsig:Reference URI="#ID_e3b1735f-401f-4ee9-a0e7-c9ff15352796"><dsig:Transforms><dsig:Transform Algorithm="http://www.XY.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.XY.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.XY.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>KGh2fkvjNypHQ1H2Rbsm59dCneS/dciESU0gWENN7rk=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo>
<dsig:SignatureValue>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</dsig:SignatureValue><dsig:KeyInfo>
<dsig:KeyName>YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</dsig:KeyName>
<dsig:X509Data><dsig:X509Certificate>MIICXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAyt+Z</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo>...........

2025-01-28 17:10:04,735 [https-jsse-nio-8081-exec-2] DEBUG org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator - Issuer 'null' not validated in keystore '/appl/spectrum/custom/keystore/cacerts'

2025-01-28 17:10:04,735 [https-jsse-nio-8081-exec-2] WARN  org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator - SAML Response is not trusted

2025-01-28 17:10:04,735 [https-jsse-nio-8081-exec-2] DEBUG org.apache.cxf.fediz.core.processor.SAMLProcessorImpl - The security token could not be authenticated or authorized

org.apache.wss4j.common.ext.WSSecurityException: The security token could not be authenticated or authorized

 

Highlighted certificate should be imported to cacerts so it is trusted.

Restart OC after the import.



Additional Information

You can simply copy the value from between the <dsig:X509Certificate>  and  </dsig:X509Certificate>  to a text file; then save as .pem .

Use the .pem file to import to cacerts as documented:

Enable Single Sign-On Using SAML Authentication

Powered by Wolken Software