CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 2nd August 2016

Symptoms:

Federation login is failing at Service Provider's signature verification stage:

[03/06/2016][12:49:16.935][12:49:16][26708][4065954672][Saml2Validator.java][verifyXML][1a6f01f9-66967cfe-40e2fce5-b49f63cc-ed28766f-e7][Could not get certificate from trusted key database (IssuerName: EMAILADDRESS=federation@ca.com, CN=CA Certificate Authority - CA, OU="(c) CA, Inc.", O=www.ca.com/lcf is incorporated by reference, L="CA, Inc.", S=PA, C=US US Serial Number: 12345) ]

[03/06/2016][12:49:16.936][12:49:16][26708][4065954672][Saml2Validator.java][verifySignature][1a6f01f9-66967cfe-40e2fce5-b49f63cc-ed28766f-e7][Exception while verifying signature:
com.netegrity.ps.auth.saml.SamlValidationException: Could not get the certificate from the trusted key database.
at com.netegrity.ps.auth.saml.Saml2Validator.verifyXML(Saml2Validator.java:3220)
at com.netegrity.ps.auth.saml.Saml2Validator.verifySignature(Saml2Validator.java:596)
at com.netegrity.ps.auth.saml.Saml2Validator.smAuthenticate(Saml2Validator.java:881)
at com.netegrity.ps.auth.saml.SamlValidator.smAuthenticate(SamlValidator.java:380)

Validated that the highlighted certificate (with CertificateEnntry type) exists in the smkeydatabase and Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction patches  are applied.

Environment:

R12.52 SP1 Federation Manager or Policy Server release

Cause:

Policy Server failed to locate the certificate due to the special character or ASCII character in the issuer DN.

Resolution:

Fix is incorporated with R12.52 SP1 CR6 Policy Server and Federation Manager releases.