I have generated testIdp.cer file by copying 509 entry of the IDP I am planning to connect. Then I created JKS file by executing the following command
keytoo
Vladimir answered correctly the question why the error occurs. In my answer I want to show how you can import a certificate to the keystore to solve that problem:
You have to import the certificate and private key which could not be done directly by keytool.
The detailed described solution is found here: https://stackoverflow.com/a/8224863/1909531
Here's an excerpt:
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name [some-alias] \
-CAfile ca.crt -caname root
keytool -importkeystore \
-deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore \
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \
-alias [some-alias]
This error occurs also when you don't have a private key in your Keystore. SAML uses the private key to generate the Service provider meta data used to communicate with the IDP. Just add one to the Keystore like this: keytool -genkey -v -keystore some_key_store.jks -alias some_alias -keyalg RSA -keysize 2048 -validity 36500 Fill in the questions and set validity to an appropriate number of days. (In my example it's valid for 100 years) Remember to add the public certificate from IDP. Then you should be ready to go.
Get the public certificate using openssl command:
openssl s_client -showcerts -connect iam-sso.google.net:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
Import it into the Keystore:
keytool -import -alias "new-qet-alias" -keystore /usr/share/tomcat8/webapps/ROOT/WEB-INF/classes/saml/samlKeystore.jks -file mycertfile.pem
Your .cer
certificate contains only a public key, you mustn't define <entry key="adfssigning" value="mypassword"/>
for public keys; it can only be used for private ones. Simply take out the adfssigning
entry and make sure to include a private key instead - just like in the Spring SAML sample application.
The SAML keystore can contain two basic types of keys - public and private ones (plus their certificates). Each key has an alias which is used to refer to it. The keystore itself can be protected by a password (provided in the second constructor parameter), plus each private key can be also protected by an additional password (these are defined in third parameter of the constructor in a map of alias->password). The public keys which you import to the keystore (just like you did with the command above) mustn't be defined in this map. They will be automatically available after being imported without additional declarations. For Spring SAML to work, the keystore must contain at least one private key (the sample application contains private key with alias apollo) and its alias needs to be provided in the third parameter of the constructor.
Your example above fails, because you have imported a public key, but included it in the map which can only be used for private keys.
For those looking for answers in java config please comment out the line passwords.put("mykeyalias", "mystorepass"); .... shown in code snippet below.
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:saml-keystore.jks");
Map<String, String> passwords = new HashMap<>();
// passwords.put("mykeyalias", "mystorepass");
return new JKSKeyManager(storeFile, "mystorepass", passwords, "mykeyalias");
}