For troubleshooting, it is better to run SSO URL provided by onelogin.saml2.idp.single_sign_on_service.url of onelogin.saml.properties. Ideally, on AD FS server.
Signature validation failed
You may see the error like
ERROR c.onelogin.saml2.authn.SamlResponse - Signature validation failed. SAML Response rejected
That means that the public key which you refer in onelogin.saml.properties is not valid:
onelogin.saml2.idp.x509cert =MIIC2DCCAcCgAwIBAgIQfdRAAWmWko1IsimA004o3TANBgkqhki…
Solution:
- Get a valid certificate from AD FS;
- modify onelogin.saml.properties (onelogin.saml2.idp.x509cert);
- restart Yellowfin;
- update Yellowfin SAML Bridge relying party metadata in AD FS.
Illegal Key Size
You may see this in Yellowfin logs:
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal key size
Solution.
When inspecting the SAML response payload below, the data is encrypted with AES-256:
EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"