I was working on federation with IDP as custom solution and SP as fedlet. The SAML authentication request and SAML response was generated successfully. However while validating the SAML response by Fedlet, it was throwing the below error in the browser.

Upon looking at libSAML2 debug file I could see 2 exceptions in the logs

ERROR: KeyUtil.getVerificationCert: No signing KeyDescriptor for entityID=XXXXXX in IDPRole role.

ERROR: SAML2Utils: The signing certificate does not match what’s defined in the entity metadata.

entityID is the ID value provied in fedlet.cot file in fedlet configuration.

Troubleshooting process:

Identity provider was signing the SAML response and encrypting the assertion. So the signing and validation has worked before and it is failing all at once.

IDP will provide the certificate in the metadata that they provide. Service Provider  (Fedlet) verifies if the signature is valid by first checking if there is a certificate configured in Identity provider metadata signing block. Then it checks with Trusted Certificate for validating the signature. I have verified the IDP metadata in fedlet configuration and found that certificate was missing in Signing section which is the root cause of this error.

After placing the Signing block in IDP metadata and restarting the application server containing fedlet, the federation has worked!!