javasslsaml-2.0adfs2.0opensaml

javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key

I am using a SAML authentication mechanism to authenticate my application. I am using IDP server as ADFS and SP as JBoss EAP 7.1.4. I have added all the configurations related to the IDP and sp servers but when authenticating saml response giving below mentioned exception.

It was working fine with another ADFS server but ADFS server has changed, so after adding all the configs added,

  1. verified that certificates are correct. the only difference is new ADFS using wild card certificate *.dev.adfs.com link that.
  2. SP server end certificate verified, using windows related certificate.
  3. Accepted claims verified.

Highlighted logs:

2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notBefore=2019-01-09T10:25:48.084Z
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notOnOrAfter=2019-01-09T11:25:48.084Z
2019-01-09 14:11:35,435 INFO  [org.keycloak.saml.common] (default task-9) [] Assertion has expired with id=_67562aca-0e81-4df1-a8db-3579e3b786e3

Request and response related:

2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Document to be signed=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Destination="https://adfs.devops.myapp.co/adfs/ls/" ForceAuthn="false" ID="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IsPassive="false" IssueInstant="2019-01-09T08:41:35.435Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:cslk-cl-ix-1.myapp.co:adfs.devops.myapp.co</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2019-01-09 14:11:35,685 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-23) [] SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint@6dfd19e]
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-23) [] <samlp:Response ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" Version="2.0" IssueInstant="2019-01-09T10:25:48.352Z" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>

Whole Exception throwing is:

2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Could not validate signature using ds:KeyInfo/ds:KeyName hint.
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Trying hard to validate XML signature using all available keys.
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notBefore=2019-01-09T10:25:48.084Z
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notOnOrAfter=2019-01-09T11:25:48.084Z
2019-01-09 14:11:35,435 INFO  [org.keycloak.saml.common] (default task-9) [] Assertion has expired with id=_67562aca-0e81-4df1-a8db-3579e3b786e3
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Document to be signed=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Destination="https://adfs.devops.myapp.co/adfs/ls/" ForceAuthn="false" ID="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IsPassive="false" IssueInstant="2019-01-09T08:41:35.435Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:cslk-cl-ix-1.myapp.co:adfs.devops.myapp.co</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2019-01-09 14:11:35,685 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-23) [] SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint@6dfd19e]
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-23) [] <samlp:Response ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" Version="2.0" IssueInstant="2019-01-09T10:25:48.352Z" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] SAML Response Document: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IssueInstant="2019-01-09T10:25:48.352Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/></samlp:Status></samlp:Response>
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:xmlns:ds::Value=http://www.w3.org/2000/09/xmldsig#
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:URI
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:KeyInfo::Value=http://www.w3.org/2000/09/xmldsig#
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.common] (default task-23) [] Verification failed for key null: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] the keyselector did not find a validation key: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
    at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:552) [xmlsec-2.0.5.jar:2.0.5]
    at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254) [xmlsec-2.0.5.jar:2.0.5]
    at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:510)
    at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:474)
    at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:455)
    at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:180)
    at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.verifyPostBindingSignature(AbstractSamlAuthenticationHandler.java:543) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.validateSamlSignature(AbstractSamlAuthenticationHandler.java:269) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:190) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.undertow.AbstractSamlAuthMech.authenticate(AbstractSamlAuthMech.java:115) [keycloak-saml-undertow-adapter-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl.authTransition(SecurityContextImpl.java:99) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl.authenticate(SecurityContextImpl.java:92) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.cocurity.corvletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.cocurity.corvletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.cocurity.corvletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.cocurity.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at org.wildfly.extension.undertow.cocurity.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler.access$100(ServletInitialHandler.java:81) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler$2.call(ServletInitialHandler.java:138) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler$2.call(ServletInitialHandler.java:135) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.core.corvletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at org.wildfly.extension.undertow.cocurity.cocurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1501)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1501)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1501)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1501)
    at io.undertow.corvlet.handlers.corvletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.Connectors.executeRootHandler(Connectors.java:330) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.HttpServerExchange$1.run(HttpServerExchange.java:812) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_181]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_181]
    at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_181]

2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Could not validate signature using ds:KeyInfo/ds:KeyName hint.
2019-01-09 14:11:35,825 TRACE [org.keycloak.saml.common] (default task-23) [] Trying hard to validate XML signature using all available keys.
Solution

  • Issue root cause found it was mainly ADFS certificate was not updated to the Service provider end with on the fly update. Once updated the correct certificate to the ADFS and restarted the ADFS server. the issue was resolved. However, you must follow the proper PKI as mentioned in the below answer.

    How to resolve org.springframework.web.util.NestedServletException: Request processing failed; with SAML