[IdP] New config settings error

[IdP] New config settings error

Forge Component
Published on 2017-12-04 by Telmo Martins
19 votes
Published on 2017-12-04 by Telmo Martins


We are trying the new IdP version but we are not able to proceed with below error. What do we need to do in order to resolve this.

Hi Romuel,

On which operation you get that error?


Hi Telmo,

When we click the Test button. Is this required?


Also, in the previous version, we uploaded a file for below setting. But somehow, it requires us to indicate the password. Can we use autogenerated keystore? We tried it but when we test the app, it shows us an error after entering the credential

This is the previous version

Error in SAML

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id_t15_a52c0820399049d8887e0e25ced2238b" Version="2.0" IssueInstant="2017-12-05T00:55:32.3576805Z"><saml2:Issuer>https://gomobile02.jgsummit.com.ph/IDPEXAMPLE/HomePage.aspx</saml2:Issuer></saml2p:AuthnRequest>

Hi Romuel. Was the IdP working before you updated to the latest version?

Could you go to the error log in Service Center and share the error details with us? That will have a few important information, such as the stack trace of the error.


Hi Leonardo,

Actually, we couldn't make it work now for the mobile version. That's why we were hoping that the latest one could help solve it. The previous version still exists though in DEV. We installed this new version in our QAS. 

There seems to be no error logged in Service Center after logging in the credentials. The one I showed you is from the SAML log messages.

We want to know if the autogenerated keystore would do or we need to manually generate this? 

Hi Romuel,

You can generate it yourself (it will generate a self-signed certificate) or upload a valid keystore that your already have, and then you need to provide to your IdP server administrator the new SP metadata file. (The previous versions didn't validate such.)

Besides, from your configuration of the previous version did the logout work? You have there configured a .cer file which at least by the file extension it's not a keystore file. An invalid keystore will not have impact on Login (unless the assertion is encrypted), but will through an error on a SingleLogout attempt. 

Regarding the first error you mention, on testing the internal URL, that URL is used when a SingleLogout is initiated by the IdP server, another SP client, or the IdP connector admin kill an active session from the Back-Office. In a logout performed by the End-user on this connector that internal URL will not be used.

You should set there a URL / IP that allow your server to do a request for it self. That depends on network and server configuration. Usually it is set to but in some cases access by  "http://localhost" is not available and you have to set it with the public URL or with the  server name / IP



Hi Telmo,

So if I don't require a logout, is there a need to configure the keystore?

Also, there is this IDP Server that is mentioned that can be used instead of InAppBrowser for mobile apps? We really want to test this new IdP components.



If you don't require logout (and not require encrypted assertion) the keystore will not be used. However the component will force you to set one, so for this specific scenario you can auto-generate one on the configuration screen.

Regarding the idP server that allows you not use InAppBrowser plugin, we are talking about the IdP server itself and not this IdP connector. But yes, if you use as your IdP/SSO server the IdPServer forge component (instead of using for instance ADFS or OneLogin) you can get rid of InAppBrowser plugin on IdPMobile.