HTTP Status 401 - Authentication Failed: Error validating SAML message

[duybinh0208]

Hi everyone, I have a problem like this:

I can do SSO with my project on localhost but when I deploy its war file to tomcat server on the internet it does not work. For detail, when I choose IDP and click on button login it redirects to web portal. After that I input username and password to login and it returns 401 Error Authentication Failed. It's strange because my project works well on localhost. Please help me for this problem.

Thanks & Regards.

Err 401.jpg

[vsch]

Hi,

Can you please check the server logs, there should be additional information about the error. You can also enable additional logging (steps in manual chapter 7.1) and post the result.

One typical issue causing this is a difference between time of your server and IDP. Enabling NTP makes this go away.

Cheers, Vladi

[duybinh0208]

Hi Vladi this is the error log on my server.
- FrameworkServlet 'saml': initialization completed in 565 ms
- No default metadata configured, generating with default values, please pre-configure metadata for production use
- Created default metadata for system with entityID: mysample.com
- AuthNRequest;SUCCESS;125.88.132.103
- PKIX path construction failed for untrusted credential: [subjectName='1.2.840.113549.1.9.1=#1612696e666f407 3736f636972636c652e6e6574,CN=idp.ssocircle.com,C=D E,2.5.4.13=#13105938423563597061365a4d466361374f' |credential entityID='http://idp.ssocircle.com']: unable to find valid certification path to requested target
- SAML protocol message was not signed, skipping XML signature processing
- SAML protocol message was not signed, skipping XML signature processing
- AuthNResponse;FAILURE;125.88.132.103
- AuthNRequest;SUCCESS;125.88.132.103
- AuthNRequest;SUCCESS;125.88.132.103
- SAML protocol message was not signed, skipping XML signature processing
- SAML protocol message was not signed, skipping XML signature processing
- AuthNResponse;FAILURE;125.88.132.103
- AuthNRequest;SUCCESS;125.88.132.103
- SAML protocol message was not signed, skipping XML signature processing
- SAML protocol message was not signed, skipping XML signature processing
- AuthNResponse;FAILURE;125.88.132.103

[vsch]

Still can't see the exact problem from here. Can you please enable the tracing?

-V

[duybinh0208]

I think the error is "PKIX path construction failed for untrusted credential: [subjectName='1.2.840.113549.1.9.1=#1612696e666f407 3736f636972636c652e6e6574,CN=idp.ssocircle.com,C=D E,2.5.4.13=#13105938423563597061365a4d466361374f' |credential entityID='http://idp.ssocircle.com']: unable to find valid certification path to requested target". But I don't know how to resolve it, can you see this error?

[duybinh0208]

Hi Vladi I have a question.
When I download spring-security-saml2-sample project, I see samlKeystore.jks file is available in this project.
But if I deploy this project to tomcat server (on the internet), Do I need to generate new keystore for it?