Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Signing in via Single Sign On in Socialcast fails with the error: Unable to decrypt the assertion (2035832)

Symptoms

  • Cannot sign in to Socialcast via Single Sign On (SSO) 
  • Signing in to Socialcast via SSO fails
  • When attempting to sign in to Socialcast via the configured IdP, all users see this message in the browser: 
Unexpected exception occurred in Response Handling: Unable to decrypt the assertion.
  • For Socialcast On Premise deployments, the /opt/pingfederate/log/server.log file reports entries similar to: 
ERROR [org.sourceid.saml20.profiles.sp.HandleAuthnResponse] Unexpected exception occurred in Response Handling: Unable to decrypt the assertion.
org.sourceid.websso.profiles.ProcessRuntimeException: Unable to decrypt the assertion.
        at org.sourceid.saml20.encryption.EncryptionSupport.decryptAssertion(EncryptionSupport.java:22)
        at org.sourceid.saml20.profiles.sp.HandleAuthnResponse.decryptAssertions(HandleAuthnResponse.java:363)
        at org.sourceid.saml20.profiles.sp.HandleAuthnResponse.verifySignature(HandleAuthnResponse.java:317)
        at org.sourceid.saml20.profiles.ResumableResponseHandlerBase.mainProcessTemplate(ResumableResponseHandlerBase.java:52)
        at org.sourceid.websso.profiles.ResponseHandlerBase.process(ResponseHandlerBase.java:75)
        at org.sourceid.saml20.profiles.ProfileProcessManager.doHandleResponse(ProfileProcessManager.java:92)
        at $ProfileProcessMgmtService_1399166d170.doHandleResponse($ProfileProcessMgmtService_1399166d170.java)
        at org.sourceid.websso.servlet.ProtocolControllerServlet.doIt(ProtocolControllerServlet.java:75)
        at org.sourceid.websso.servlet.ProtocolControllerServlet.process(ProtocolControllerServlet.java:84)
        at org.sourceid.websso.servlet.EnforcerServletBase.checkProcess(EnforcerServletBase.java:59)
        at org.sourceid.websso.servlet.EnforcerServletBase.doPost(EnforcerServletBase.java:90)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
        at org.mortbay.jetty.servlet.jsr77.Jsr77ServletHolder.handle(Jsr77ServletHolder.java:74)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
        at org.sourceid.servlet.filter.NoCacheFilter.doFilter(NoCacheFilter.java:46)
        at org.sourceid.servlet.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:53)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
        at org.sourceid.websso.servlet.ProxyFilter.doFilter(ProxyFilter.java:34)
        at org.sourceid.servlet.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:53)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
        at org.sourceid.websso.servlet.SessionIdFilter.doFilter(SessionIdFilter.java:67)
        at org.sourceid.servlet.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:53)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
        at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
        at org.mortbay.jetty.Server.handle(Server.java:324)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
        at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
        at com.pingidentity.appserver.jetty.DynamicSslSocketConnector$SslConnection.run(DynamicSslSocketConnector.java:637)
        at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Exception in decryption
Original Exception was org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal key size

Cause

By default, the Socialcast SSO feature is configured to support only 128bit encryption due to a security limitation in the Java runtime. Some IdP systems, such as ADFS 2.0 (Active Directory Federation Services), encrypt using AES-256, which is incompatible with the platform.

Resolution

The following options are available to ensure compatibility of the IdP with Socialcast. Depending on your business requirements, use one of these methods for compatibility depending on business requirements. The option to increase cipher strength support in Socialcast is available only to Socialcast On Premise deployments.

Downgrading encryption strength

If your IdP platform supports downgrading of the encryption cipher strength to 128bit, downgrade the encryption strength. For more information on downgrading the encryption strength, see your IdP system's documentation. For platforms, such as ADFS 2.0, that do not allow downgrading, you may have to disable encryption.

Disabling encryption in the IdP

ADFS 2.0 Method A

  1. Launch the ADFS Management Tool.
  2. Navigate to ADFS 2.0 > Trust Relationships > Relying Party Trusts.
  3. Right-click the appropriate Relying Party item and click Properties.
  4. Click the Encryption tab.
  5. Click Remove to delete the certificate that is defined.
  6. Click OK to apply and save the changes.

ADFS 2.0 Method B

Run this code using Windows PowerShell as an Administrator:

Add-PSSnapin Microsoft.adfs.powershell
set-ADFSRelyingPartyTrust -TargetName "Socialcast" -EncryptClaims $false

Where Socialcast is the configured name of the Relying Party.

Add AES 256bit encryption support to PingFederate for Socialcast On Premise SSO

If encryption is a requirement for your environment, it is possible to unlock the security limitations on cipher strength for the Java platform on the Socialcast On Premise appliance.

To do this:

  1. Download the the JCE Unlimited Strength Jurisdiction Policy Files 6 from http://www.oracle.com/technetwork/java/javase/downloads/index.html.
  2. Unzip the downloaded files and upload to the SSO node of the appliance using a suitable sftp client such as WinSCP or FileZilla.
  3. Copy the US_export_policy.jar and local_policy.jar files to /usr/lib64/jvm/sun-java-6u18/jre/lib/security/ and overwrite the existing files.
  4. Restart the appliance in the Services section of SCMC.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 5 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 5 Ratings
Actions
KB: