This error can be caused by a faulty configuration on either the Identity Provider or the Service Provider.
Possible solutions are:
- The Identity Provider metadata must be imported into the Service Provider
- The password for the certificate file is incorrect
- The idp as set in the file authsources.php must match the metadata key as set in the file metadata-generated/alias/saml20-idp-remote.php (the folder alias can be different as it depends on the alias of the Identity Provider profile created)
Import Identity Provider metadata
To import the data from the Identity Provider you need to do the following:
- Login to the Joomla administrator section
- Go to Components --> RO Single Sign On -> Identity Provider Profiles
- Select the Identity Provider for which the metadata needs to be read
- Click on Refresh Metadata
Password certificate file
If a private key file has been configured and the password is incorrect the login will fail as well because the data cannot be verified, so double check the password. This file is located in the folder libraries/simplesamlphp/cert To check if the password is correct you can run the following command from the command line where your private key is located. Replace YOURFILE with the actual name of your .pem file and YOURPASS with the actual password.
openssl pkey -in YOURFILE.pem -passin pass:YOURPASS -noout
If you get no response this means the password is valid, if you get any other output, the password is invalid.
Match metadata key
While connecting to an Identity Provider the request is checked if the answer is coming from a trusted Identity Provider. For the request to be processed the following 2 settings must match so the system knows which Identity Provider configuration to check. This concerns 2 files:
- libraries/simplesamlphp/config/authsources.php
- libraries/simplesamlphp/metadata-generated/alias/saml20-idp.remote.php
authsources.php
In this file you will find a configuration line called idp and that looks like this. The URL will be the URL of your Identity Provider.
'idp' => 'https://a/url/from/the/identity/provider',
saml20-idp-remote.php
This file is found in the folder libraries/simplesamlphp/metadata-generated and then a subfolder which has the name of the alias of the Identity Provider profile you created. The saml20-idp-remote.php file has the metadata of your Identity Provider. The first line in there contains the URL of your Identity Provider and looks like this.
$metadata['https://a/url/from/the/identity/provider'] = [
This URL and the URL in the authsources.php must match for it being able to be processed.