"Errors found in the certificate" when calling initSAMLAuthRequest()

Melden · Mar 29, 2024

I am playing around with the the SAML SP and IdP configurations in CF2021. I am using CF as both IdP and SP.

When I call initSAMLAuthRequest() I receive the following error:

coldfusion.util.KeystoreUtils$CertificateException: Errors found in the certificate at coldfusion.saml.SamlHelper.stringToCert(SamlHelper.java:779)

I assume this error is related to the IdP certificate. This certificate is a self-signed certficate that was generated with the following command:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
-nodes -keyout idp.key -out idp.crt \
-subj "/C=US/O=IdP Test/OU=SSO/CN=test.internal" \
-addext "subjectAltName=DNS:test.internal,IP:192.168.1.2"

I used the Manual IdP configuration option and pasted the contents of idp.key into the Signing Certificate box without the ----BEGIN|END PRIVATE KEY----- bits. It looks like MIIJQg....Tnw==

If I leave the -----BEGIN PRIVATE KEY----- bits in there then then I receive an error saying "The input string is not base64 encoded. Cannot decode string '-----BEGIN PRIVATE KEY-----MIIJQg...'"

I have not had much luck finding examples of Manual IdP configuration or requirements for certificates. Do I need to import these certificates into the CFAS JKS files? Is there something missing or wrong with how I am generating this certficate?

Any hints?

Melden · Mar 29, 2024

Answering my own question:

Enter the public certificate in the IdP configuration, not the private key. Whoops.

The next issue I encountered was a password incorrect issue when ColdFusion was trying to access the PKCS12/PFX file to get the SAML SP key pair. This was resolved by updating Java in my docker container from the default 11.0.11 that came with the official adobecoldfusion/coldfusion2021:latest image to the current 11.0.22 downloaded from https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html.

I used the following commands to update my CFAS container:

     wget -nc https://cfdownload.adobe.com/pub/adobe/coldfusion/java/java11/java11022/jdk-11.0.22_linux-x64_bin.de...
     docker cp jdk-11.0.22_linux-x64_bin.deb cfas:/opt
     docker exec -itu0 cfas dpkg --install /opt/jdk-11.0.22_linux-x64_bin.deb
     docker exec -itu0 cfas sed -i "/java.home=/c\java.home=/usr/lib/jvm/jdk-11-oracle-x64" /opt/coldfusion/cfusion/bin/jvm.config
     docker exec -itu0 cfas rm /opt/jdk-11.0.22_linux-x64_bin.deb
     docker restart cfas

"Errors found in the certificate" when calling initSAMLAuthRequest()

1 richtige Antwort