SAML Single Sign-OnSAML Single Sign-On
Try For Free

Error: XMLCipher::decryptElement unable to resolve a decryption key

Problem

Login via SSO with Okta fails, and you get an error in the tracker, with a message "Something bad happened: null".

Diagnosis

In the log file, there are similar errors to the below:

  1. 2024-10-23 13:36:07,302+0000 http-nio-8080-exec-19 url: /plugins/servlet/samlsso ERROR anonymous 816x1141x1 16e6we 77.11.179.58,10.2.88.105 /plugins/servlet/samlsso [o.a.x.security.encryption.XMLCipher] XMLCipher::decryptElement unable to resolve a decryption key
  2. 2024-10-23 13:36:07,303+0000 http-nio-8080-exec-19 url: /plugins/servlet/samlsso WARN anonymous 816x1141x1 16e6we 77.11.179.58,10.2.88.105 /plugins/servlet/samlsso [c.o.saml2.util.Util] Error executing decryption: encryption.nokey
  3. org.apache.xml.security.encryption.XMLEncryptionException: encryption.nokey
  4. at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1757)
  5. at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1673)
  6. .
  7. .
  8. 2024-10-23 13:36:07,305+0000 http-nio-8080-exec-19 url: /plugins/servlet/samlsso WARN anonymous 816x1141x1 16e6we 77.11.179.58,10.2.88.105 /plugins/servlet/samlsso [c.r.a.s.tracker.activeobjects.AuthenticationTrackerActiveObjectsProxy] Adding ExceptionInfo for this Exception to HN6Q1EHYJ32VJGB:
  9. com.resolution.samlwrapper.api.exception.MessageReadingException: Something bad happened: null
  10. at com.resolution.samlwrapper.osj.SAMLResponseReader.readAndValidateSamlResponse(SAMLResponseReader.java:120)
  11. at com.resolution.samlwrapper.osj.SAMLResponseReader.validateSAMLResponseAndReadLoginInformation(SAMLResponseReader.java:52)
  12. at com.resolution.samlwrapper.osj.SAMLWrapperImpl.handleSAMLResponse(SAMLWrapperImpl.java:622)
  13. at com.resolution.samlwrapper.osj.SAMLWrapperImpl.handleSAMLMessage(SAMLWrapperImpl.java:592)
  14. at com.resolution.atlasplugins.samlsso.servlet.SamlSsoServlet.processRequest(SamlSsoServlet.java:170)
  15. at com.resolution.atlasplugins.samlsso.servlet.BasicServlet.doPost(BasicServlet.java:100)
  16. .
  17. .
  18. Caused by: java.lang.NullPointerException
  19. at com.onelogin.saml2.authn.SamlResponse.decryptAssertion(SamlResponse.java:1319)
  20. at com.onelogin.saml2.authn.SamlResponse.loadXml(SamlResponse.java:221)
  21. at com.onelogin.saml2.authn.SamlResponse.loadXmlFromBase64(SamlResponse.java:187)
  22. at com.onelogin.saml2.authn.SamlResponse.<init>(SamlResponse.java:122)
  23. at com.resolution.samlwrapper.osj.SAMLResponseReader.readAndValidateSamlResponse(SAMLResponseReader.java:93)
  24. ... 335 more

Solution

The above indicates that the Assertion Encryption in Okta has been enabled but doesn't have the correct certificate from the SAML SSO plugin (the service provider).

To fix that:

  1. In the SAML Single Sign On Configuration page, in the Service Provider tab, copy the Service Provider Certificate a5a3469b-34ac-4e4d-9e55-6fa70fb7fcc2.png

  2. In Okta and under SAML Settings, click Edit 372e7094-2b44-40aa-bc3d-48176b23e8f4.png

  3. Navigate to step 2 (Configure SAML) and click on “Show Advanced Settings” 37eecb0c-3cdf-4251-815a-eadfe61c27bd.png

  4. Upload the new certificate to be used both as Encryption and Signature certificate fb058c8f-ae95-4588-b707-ba6367716e30.png

  5. Save the settings

This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other