SAML Validate Signatures

Hi

Can any one please help how to update IDP certificate in Identity provider SAML configuration.

I configured the “validate signature” and uploaded the “Validating X509 certificates” in SAML IDP configuration.
User get sign in successfully on IDP but when it redirected to keycloak getting below error.

2024-04-04 00:37:41,950 DEBUG [org.keycloak.events.jpa.JpaEventStoreProvider] (Timer-0) Cleared 0 expired events in all realms
2024-04-04 00:37:47,959 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-25) Uncaught server error: java.lang.RuntimeException: org.keycloak.saml.common.exceptions.ProcessingException: PL00102: Processing Exception:
	at org.keycloak.broker.saml.SAMLEndpoint$Binding.getIDPKeyLocator(SAMLEndpoint.java:264)
	at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.verifySignature(SAMLEndpoint.java:716)
	at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:648)
	at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:276)
	at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:187)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
	at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
	at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
	at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
	at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
	at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
	at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
	at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
	at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
	at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
	at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
	at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
	at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
	at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
	at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
	at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:90)
	at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
	at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
	at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:545)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.keycloak.saml.common.exceptions.ProcessingException: PL00102: Processing Exception:
	at org.keycloak.saml.common.DefaultPicketLinkLogger.processingError(DefaultPicketLinkLogger.java:164)
	at org.keycloak.saml.processing.core.util.XMLSignatureUtil.getX509CertificateFromKeyInfoString(XMLSignatureUtil.java:592)
	at org.keycloak.broker.saml.SAMLEndpoint$Binding.getIDPKeyLocator(SAMLEndpoint.java:258)
	... 55 more
Caused by: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Illegal footer: -----BEGINCERTIFICATE-----MIIDpddjCCAo6gAwIBAgIGAYI2kIDzMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Rldi0zOTI5NTc4MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMB4XDTIyMDcyNTE4MTIzNloXDTMyMDcyNTE4MTMzNVowgZMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLZGV2LTM5Mjk1NzgxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWtju4TgEfMwYZI2g++Tg/csv+Xkoob+j/daEEheJlObyj2TxNpfrOxQh8ZrkoYndPg1qEnlSEARWMHWrFDSsJsgfaj3mcukVbXHOdiprTS7Hgwh8vFnI5BgnxhXeik2osqZZPWre2MFvxTkbvhH6kE01BBZ/sEhDYJDE8APLH9DelOO9aR+OiClKLf8QfpTw6aXpqx50EHGlbDhvHbdA03yeROQu1UI+93hY3cPLVE+IitQkSK5gi1gbdjzYyviyTttPbR3xmhQheGETZWtNKLraagDTL1vTqPNMHPLOAqst1kudLqugoAYFEaAooWeigRX7YtudpOfL61rRC375XAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAInDFnMsnItqamFAgnOTVkjnXhA99Jqa/2Q2pERHqcX6A3SndiU9BX3dN6tqG5ops6h3QzsHqrmva+mAnvmGX+M4sVMJNG4CmrjPmZgg1vK6Rkem0/f085/BghE9RAe3nzxiuHM4yHspnoY3sArEjAfJJk29aXbMM19kYxzb5JRyn6rPcGDgAPLlyymsiLJsrmCMhpVLUx5Cw/3e9bGpajcsaEb3NQqTKt9CBO2QGcX1W5RkDtX+rSkZtJj5aAsNODAAKeBk/uNR6wTA/ATLq6s+82byhoc5QLlWOa/46z9OGxLuWS0F54SfGxplyfUCIJ//RTtYemjAg3bT1bWDH64=-----ENDCERTIFICATE-----
	at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:115)
	at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
	at org.keycloak.saml.processing.core.util.XMLSignatureUtil.getX509CertificateFromKeyInfoString(XMLSignatureUtil.java:589)
	... 56 more
Caused by: java.io.IOException: Illegal footer: -----BEGINCERTIFICATE-----MIIDpjCCAo6gAwIBAgIGAYddI2kIDzMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Rldi0zOTI5NTc4MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMB4XDTIyMDcyNTE4MTIzNloXDTMyMDcyNTE4MTMzNVowgZMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLZGV2LTM5Mjk1NzgxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWtju4TgEfMwYZI2g++Tg/csv+Xkoob+j/daEEheJlObyj2TxNpfrOxQh8ZrkoYndPg1qEnlSEARWMHWrFDSsJsgfaj3mcukVbXHOdiprTS7Hgwh8vFnI5BgnxhXeik2osqZZPWre2MFvxTkbvhH6kE01BBZ/sEhDYJDE8APLH9DelOO9aR+OiClKLf8QfpTw6aXpqx50EHGlbDhvHbdA03yeROQu1UI+93hY3cPLVE+IitQkSK5gi1gbdjzYyviyTttPbR3xmhQheGETZWtNKLraagDTL1vTqPNMHPLOAqst1kudLqugoAYFEaAooWeigRX7YtudpOfL61rRC375XAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAInDFnMsnItqamFAgnOTVkjnXhA99Jqa/2Q2pERHqcX6A3SndiU9BX3dN6tqG5ops6h3QzsHqrmva+mAnvmGX+M4sVMJNG4CmrjPmZgg1vK6Rkem0/f085/BghE9RAe3nzxiuHM4yHspnoY3sArEjAfJJk29aXbMM19kYxzb5JRyn6rPcGDgAPLlyymsiLJsrmCMhpVLUx5Cw/3e9bGpajcsaEb3NQqTKt9CBO2QGcX1W5RkDtX+rSkZtJj5aAsNODAAKeBk/uNR6wTA/ATLq6s+82byhoc5QLlWOa/46z9OGxLuWS0F54SfGxplyfUCIJ//RTtYemjAg3bT1bWDH64=-----ENDCERTIFICATE-----
	at java.base/sun.security.provider.X509Factory.checkHeaderFooter(X509Factory.java:661)
	at java.base/sun.security.provider.X509Factory.readOneBlock(X509Factory.java:643)
	at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:99)
	... 58 more

I once successfully followed this guide to do just that with ADFS: How to Setup MS AD FS 3.0 as Brokered Identity Provider in Keycloak - Keycloak

I had the same problem, but it worked well with base64 encoded DER certificates, which you can get from PEM with openssl:

openssl x509 -in your-cert.pem -outform der | base64

have you tried removing “-----BEGINCERTIFICATE-----” and “-----ENDCERTIFICATE-----”? This worked for me.