Question

Caught Exception while validating SAML2 Authentication - No trusted certs found

1) We got IDP Metadata xml.

2) Created Authentication Service rule, import the IDP metadata.

3) SP metadata are autopopulated as well.

4) Verify Certification got generated automatically.

5) When try to hit the SSO servlet which points to this authentication service rule, it navigates to authentication URL and gets user credentials and after validation, getting redirect to Pega SSO, during that time we are getting below exception in the browser window.

"Unable to process the SAML WebSSO request : Unable to process SAML2 Authentication response : Caught Exception while validating SAML2 Authentication response protocol : Error during certificate path validation: No trusted certs found"

Hope some issue with certificate verification, I guess certification has to be added to trusted store.

Can anyone please help on how to install or deploy Keystore.jks in Tomcat server so that certificate becomes trusted.

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Correct Answer
June 28, 2017 - 6:49am

Got the solution:

Root-Cause: Auto-generated JKS file was not having proper certificate content.

1) Exported certificate contents from IDP metadata XML and saved-as to new "cer" file

2) Import .cer to new JKS using keytool command.

3) Take the JKS file and upload to any keystore rule.

4) Refer the keystore rule in Authentication Service rule.

Comments

Keep up to date on this post and subscribe to comments

June 23, 2017 - 2:57am

Hi,

Please add certificates to Java using keytool, it will resolve the issue.

June 23, 2017 - 3:06am
Response to SudhakarReddy

Could you please let me know the exact syntax for adding JKS file to trust-store and exact path where it has to be placed? (TOMCAT SERVER)

June 28, 2017 - 6:49am

Got the solution:

Root-Cause: Auto-generated JKS file was not having proper certificate content.

1) Exported certificate contents from IDP metadata XML and saved-as to new "cer" file

2) Import .cer to new JKS using keytool command.

3) Take the JKS file and upload to any keystore rule.

4) Refer the keystore rule in Authentication Service rule.

December 28, 2017 - 7:26am
Response to GKKRISHNAN

Hi Krishnan,

 

Could you please eloborate how you exported the certificate content from IDP metadata. whether did you considered <X509Certificate>.

As we are facing similar issue.

 

Thanks in advance.

Regards,

Raghunatha