Signature trust establishment failed for SAML metadata entry

I was facing the same issue.Steps that I have follwoed to resolve the same

  1. extract from IDP metdata fille
  2. copy the certificate in text file and save as.crt. e.g idp.crt
  3. import the crt file in key Store keytool -import -alias adfscert -file idp.crt -keystore samlKeystoreold.jks -storepass keystorepassword
  4. it will ask for is you trust this crt.. say yes
  5. for some cases it will ask to use in pkcs12 format add in warning message do the same
  6. try running your application it should work :)

I'm posting this just in case if it may be helpful even after everything you did like accepted answer for this question and still get the same error.

I too had this problem, I have added IDP's metadata file and imported their certificate into my app keystore. But still had Signature trust verification problem. I did format the metadata.xml from IDP in Intellij, that did some screw up. Once I imported their metadata file as it without formatting, everything went ok.


You have most likely imported the HTTPS certificate, but not the certificate which is used to create the signature - they differ. You should:

  1. Create file signature.cer with the following content taken from the metadata:

    -----BEGIN CERTIFICATE-----
    MIIC7jCCAdagAwIBAgIQa+pSaOoDP6ZL3qAi564CxzANBgkqhkiG9w0BAQs
    FADAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSBzdHN0ZXN0LXJlcGx5bm
    V0LnJlcGx5Lml0MB4XDTE0MDQyMTAwMzUyNVoXDTE1MDQyMTAwMzUyNVowM
    zExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gc3RzdGVzdC1yZXBseW5ldC5y
    ZXBseS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJyI7Se
    +UGGHOGRcwHF8LrmivtcPJyNKyicPJ8UJ8pIsEmgYBnJIrpS05RkYtdUdk+
    aumDlc3ACt23FxGDLy9hkJJlRbZwklzh4W3RqGC3W5Y+t7KeIuB8d7ZrrLb
    2AoJpVHICRagsLjjHMwz9sJUt+PZdUFFc0pZckHba3TY2Y+MgPYVsyjlEkf
    QrwL0ggh23g9Pe1VQ9HaInXZvwVMGWZ1oL4Uk0cW11URa8x53ZOWMQSsksi
    MUlquItssiuJjRnI9Df+GaDxbQJi51esY2EF1o2JxqGJSA71Apy9EahDho8
    eFkfOS0fYbVNBU5X/Wn7BKsf2Rmg3r6mQM94+gAA8CAwEAATANBgkqhkiG9
    w0BAQsFAAOCAQEAIX5FEt5JWtINzy4C0LtTtta3DMOsLIBH3raRr53+6MKG
    sPP75VAt7fYUutopuk5Y2o++sVPuEuTzcogz5Dj8eglDESkPwR0PrlClVcG
    FLFEx9qOOidYIEa90g462niIOgkNkIpb1JRrmZEFo+yrYYdFSR2iXzC3O1f
    7JAhNwi+d4a8cOTrqynqL6p1z+hiWEub39FlWDPacELw9HSDIYY151hiiPz
    vIRQDBOjDg3Ws8fRwYNjJH4ElwjP2z+1r+sktD/kkh8jj3iWhT37JnQG72D
    7c63ovYICwEZUqS4L3vepO0pv6xewkUbfX4KBQbUPaVVgmVUcSecj85mvMx
    42g==
    -----END CERTIFICATE-----
    
  2. Import the certificate to your samlKeystore.jks with:

     keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file signature.cer
    

This should be all you need, just restart Tomcat and your metadata loading should now pass.

You don't need to include the HTTPS certificate in your JDK's cacerts in case you include the following bean which configures the HTTP client (available in Spring SAML 1.0.0.RELEASE):

 <bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer"/>