We are currently signing SAML assertions where ForgeRock IDC acts as a IDP and configured for remote SP. The flow is working fine until we enable encyption of assertion and attributes.
We are following the ForgeRock backstage Knowledge - ForgeRock BackStage to generate and add secret IDs.
After enabling encyption, when we try to hit the SAML flow URL’s it just shows “Server error: Forgerock server cannot handle this request”. So I thought it might be issue with secret key configuration but when I tried that with default ForgeRock IDC keys still it is failing.
Need help to fix this issue… Thank you in advance
Can you double check your remote SP’s metadata to ensure that they included a key for encryption? With SAML, encryption in an assertion is done by the IDP via the SP’s public key which is provided via the metadata. You are looking for a
KeyDescriptor element with either a
use attribute with a value of
signing or no
use attribute on the element. The absence of such data in the SP’s metadata can result in the error you are seeing.
I can find keyDescriptor with use=“encryption” with certificate in SP metadata but still we are getting server error 400 bad request, it doesn’t even go to login process or getting SAML response part.
Signing with same certificate is working fine but encryption causing this issue.
Need help in these part.