Running into this issue setting up SAML 2.0 in Java Spring Boot using latest libraries.
I followed this guide:
Here's some relevant code, but let me know if anything else will help:
public KeyManager keyManager()
return new JKSKeyManager(keyStoreResource, keystorePassword, ImmutableMap.of(keystoreKeyAlias, keystorePrivateKeyPassword), keystoreKeyAlias);
public SAMLDiscovery samlIDPDiscovery()
return new SAMLDiscovery();
public MetadataDisplayFilter metadataDisplayFilter()
return new MetadataDisplayFilter();
public TLSProtocolConfigurer tlsProtocolConfigurer()
TLSProtocolConfigurer t = new TLSProtocolConfigurer();
return t;
// Configure TLSProtocolConfigurer
public ProtocolSocketFactory protocolSocketFactory()
//return new TLSProtocolSocketFactory(keyManager(), null, "defaultAndLocalhost");
return new TLSProtocolSocketFactory(keyManager(), null, "default");
public Protocol protocol()
return new Protocol("https", protocolSocketFactory(), 443);
public MethodInvokingFactoryBean socketFactoryInitialization()
MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
methodInvokingFactoryBean.setArguments(new Object[] { "https", protocol() });
return methodInvokingFactoryBean;
public CachingMetadataManager metadata() throws MetadataProviderException
HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(new Timer(true), httpClient(), idpUrl);
//ExtendedMetadata em = new ExtendedMetadata(); //Attempt to explicitly add cert alias to extended metadata
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider);//, em);
return new CachingMetadataManager(ImmutableList.<MetadataProvider>of(extendedMetadataDelegate));
Here's the error:
2020-05-27 17:02:27.552 ERROR 41402 --- [ main] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=*,O=Company,L=Location,ST=state,C=US']: unable to find valid certification path to requested target
2020-05-27 17:02:27.556 INFO 41402 --- [ main] o.a.c.httpclient.HttpMethodDirector : I/O exception ( caught when processing request: SSL peer failed hostname validation for name: null
2020-05-27 17:02:27.557 INFO 41402 --- [ main] o.a.c.httpclient.HttpMethodDirector : Retrying request
... SSL peer failed hostname validation for name: null
at ~[openws-1.5.4.jar:na]
at ~[openws-1.5.4.jar:na]
at ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$ ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry( ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod( ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod( ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod( ~[commons-httpclient-3.1.jar:na]
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata( ~[opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh( [opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization( [opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize( [opensaml-2.6.4.jar:na]
at [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at ~[classes/:na]
Creating the JKS keystore like so (with an attached key):
keytool -genkeypair \
-v \
-keystore product.jks \
-storepass hidden \
-alias product \
-dname 'CN=localhost, OU=Company, O=Org, L=Loc, ST=State, C=US' \
-keypass hidden \
-keyalg RSA \
-keysize 2048 \
-sigalg SHA256withRSA
I included the cert as well: Signature trust establishment failed for SAML metadata entry The certificate provided by my IDP is contained within my keystore:
keytool -importcert \
-file cert.pem \
-keystore product.jks \
-alias idp-server \
-storepass hidden
I tried all the following tickets already:
SSL peer failed hostname validation in Spring SAML Tried to add the cert included in the passwords in KeyManager (I set the cert password to be the keystore password since the cert does not have one)
Spring Security SAML + HTTPS to another page Tried allowAll in TLSProtocolConfigurer.setSslHostnameVerification and defaultAndLocalhost in TLSProtocolSocketFactory constructor.
Spring Security SAML IdP Metadata Certificate and Signature Trust check is already disabled: extendedMetadataDelegate.setMetadataTrustCheck(false);
Signature trust establishment failed for SAML metadata entry Tried setting the alias of the cert inside the ExtendedMetadata attached to the delegate:
ExtendedMetadata em = new ExtendedMetadata();
em.setSigningKey("*"); //This is obfuscated
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, em);
My inclination is that I'm setting up the keystore incorrectly with the cert. I tried converted the PEM to crt and cer to see if it would make any difference, it did not. I can assure you this is the IDP cert and not the domain cert (FYI this is purposefully not using cacerts, but containing the cert inside the keystore to use HTTPS).
Any ideas/help is much appreciated! Thanks.