playframework 2.0 - Pac4j based SP unable to process SAML response - Signature is not trusted -


i developing play application using pac4j saml authentication. have setup shibboleth based idp , working fine couple of sps. have based play application on pac4j demo, works fine openidp-feide, failing against shibboleth idp. have generated keystore per instructions , have configured idp metadata in application. request goes fine , prompted authentication page. once enter credentials , response comes play application, things go wrong. error message follows

[debug] - org.apache.xml.security.signature.reference - verification successful uri "#_3b44b10eeb4a12dcf2abfe318a01885e"  [debug] - org.apache.xml.security.signature.manifest - reference has type  [debug] - org.opensaml.xmlsec.signature.support.provider.apachesantuariosignaturevalidationproviderimpl - signature validated key supplied credential [debug] - org.opensaml.xmlsec.signature.support.impl.basesignaturetrustengine - signature validation using candidate credential successful [debug] - org.opensaml.xmlsec.signature.support.impl.basesignaturetrustengine - verified signature using keyinfo-derived credential  [debug] - org.opensaml.xmlsec.signature.support.impl.basesignaturetrustengine - attempting establish trust of keyinfo-derived credential  [debug] - org.opensaml.xmlsec.signature.support.impl.basesignaturetrustengine - failed establish trust of keyinfo-derived credential  [debug] - org.opensaml.xmlsec.signature.support.impl.basesignaturetrustengine - failed verify signature and/or establish trust using keyinfo-derived credentials [debug] - org.opensaml.xmlsec.signature.support.impl.explicitkeysignaturetrustengine - attempting verify signature using trusted credentials [debug] - org.opensaml.xmlsec.signature.support.impl.explicitkeysignaturetrustengine - failed verify signature using either keyinfo-derived or directly trusted credentials  [error] - play.core.server.netty.playdefaultupstreamhandler - cannot invoke action org.pac4j.saml.exceptions.samlexception: signature not trusted     @      org.pac4j.saml.sso.impl.saml2defaultresponsevalidator.validatesignature(saml2defaultresponsevalidator.java:690) ~[pac4j-saml-1.8.3.jar:na]     @ org.pac4j.saml.sso.impl.saml2defaultresponsevalidator.validatesamlprotocolresponse(saml2defaultresponsevalidator.java:206) ~[pac4j-saml-1.8.3.jar:na]     @ org.pac4j.saml.sso.impl.saml2defaultresponsevalidator.validate(saml2defaultresponsevalidator.java:144) ~[pac4j-saml-1.8.3.jar:na]     @ org.pac4j.saml.sso.impl.saml2webssomessagereceiver.receivemessage(saml2webssomessagereceiver.java:96) ~[pac4j-saml-1.8.3.jar:na]     @ org.pac4j.saml.sso.impl.saml2webssoprofilehandler.receive(saml2webssoprofilehandler.java:55) ~[pac4j-saml-1.8.3.jar:na]     @ org.pac4j.saml.client.saml2client.retrievecredentials(saml2client.java:246) ~[pac4j-saml-1.8.3.jar:na]     @ org.pac4j.saml.client.saml2client.retrievecredentials(saml2client.java:75) ~[pac4j-saml-1.8.3.jar:na]     @ org.pac4j.core.client.indirectclient.getcredentials(indirectclient.java:191) ~[pac4j-core-1.8.3.jar:na] 

i have checked against response shibboleth sending , clear same certifcate has been configured in sp metadata being used signing. have checked signing certificate of idp same 1 provided in idp metadata

the saml response @ shibboleth below

2016-01-24 23:47:12,017 - debug [org.opensaml.saml.saml2.binding.encoding.impl.httppostencoder:198] - marshalling , base64 encoding saml message 2016-01-24 23:47:12,024 - debug [org.opensaml.saml.saml2.binding.encoding.impl.httppostencoder:220] - setting relaystate parameter to: 'myappidp', encoded 'myappidp' 2016-01-24 23:47:12,040 - debug [protocol_message:70] - <?xml version="1.0" encoding="utf-8"?> <saml2p:response     destination="http://lms.myapp.in/auth/complete/tpa-saml/"     id="_51e20c09b33474416b337650cea49879"     inresponseto="onelogin_3873668f77ebeefc8e0f4011223f8877d98b17db"     issueinstant="2016-01-24t18:17:11.804z" version="2.0" xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol">     <saml2:issuer xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion">https://idp.myapp.in/idp/shibboleth</saml2:issuer>     <ds:signature                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:signedinfo> <ds:canonicalizationmethod                 algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:signaturemethod                 algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:reference                         uri="#_51e20c09b33474416b337650cea49879"> <ds:transforms> <ds:transform                         algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:transform                     algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:transforms> <ds:digestmethod algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:digestvalue>nus/wns4laro4u0tcly99kbzwxvk9rg/fd8oozi/mbs=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue> kaesn6jgaufms1sbar1bsmjcd/2kddzfcarjco1jmulqjhrqfrkbrnaqqeft129+jkxqksxsdv0c nsengwdvjs+a2kcjn7mzjdmjutokjef6m76dkycyd9/w0zqfkg6ffccureeh/gzm9iezcyp9c4wc qpeac+2po61ttq82otgh3pivz2bucdmbu/uwbbux1ejv7twvcayw5+jlifiwjzjpt73pqtvwmxht it9vwcme5i6nyztxylj9w2wviflxinlom73pd+tg4eeztoneztw+bgggz5mcjdppmnkinouoo+wa b77ygbq8w+ubiilxpu5asv5r/yqxopjyzzihew== </ds:signaturevalue> <ds:keyinfo>             <ds:x509data>                 <ds:x509certificate>miidmzccahugawibagiuf9lisnpjiw9w3k/sv9ztxwdb5pkwdqyjkozihvcnaqelbqawhdeambgg a1ueawwrd3d3lnrlyw1yywluy2xvdwqwhhcnmtuxmdeymtcznje3whcnmzuxmdeymtcznje3wjac mrowgaydvqqddbf3d3cudgvhbxjhaw5jbg91zdccasiwdqyjkozihvcnaqebbqadggepadccaqoc ggebajvlitrycikjv6y/lwakraddfw5wucnfmwmy6za2ckzqfawncrqzluztogvl0yob/9onxagx mx5kha96/khrj3uny1tzy9s9jdkvwvxzypgkevho9wcct3ndqwyqjk9xyw9qn3ve0kypjglxuy/z dvyvmiojf+6rdk/dig2mtsmcrfccyjijmcfw7cel9tejw1iory5ho9emjykkas2wwaxpxeryvngn aa13kb/501dzwjscktng8ip0gzcmfafnqi+sgsehr3yzn20mzteohphs5hpuqnk36fk4a9q4llme ko487dxdt5rbxty9vjqypwryfzwauehq75yepbzpja0caweaaantmgswhqydvr0obbyefhwnilby y3pf+1yl48m0rcw+zypgmeoga1udeqrdmegcexd3dy50zwftcmfpbmnsb3vkhixodhrwczovl3d3 dy50zwftcmfpbmnsb3vklmnvbs9pzhavc2hpymjvbgv0adanbgkqhkig9w0baqsfaaocaqeakhxy 6blk5vmcmirkqhmit8d7stzugx+qiayo/mywbbndu4nbbmnvzdvhwpndmhviyhbbb6tcweaelyo9 kijmtw/70rti6k40drzdtt33se5r87axhilgpdhgxqgc1ob6fwcjjvtq3rkyymmxdljll8orhxii okb9syzr96bxddqygv5ppjfe68taipj1trechfdxktam+8hnestoot66k+erxfvu6gsge+ebyiuz 913zhxlf0xm+yh7o+opcnkko9jgplyzbjza7nsbm7rzvdh1rygf1el1jyzdnyd2h1sq3ycqxldnu ucq8q7+2cb3xrwgjgrpxc+y8zwmmi5cqxg==</ds:x509certificate>             </ds:x509data>         </ds:keyinfo>     </ds:signature>     <saml2p:status>         <saml2p:statuscode value="urn:oasis:names:tc:saml:2.0:status:success"/>     </saml2p:status>     <saml2:encryptedassertion xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion">         <xenc:encrypteddata id="_53e9ea4d7ce2e06dd7dc5f447e03f248"             type="http://www.w3.org/2001/04/xmlenc#element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">             <xenc:encryptionmethod                 algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>             <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                 <xenc:encryptedkey                     id="_1f15b021e3b9352a57cc33a7ef00626e"                     recipient="http://lms.myapp.in/saml" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">                     <xenc:encryptionmethod                         algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">                         <ds:digestmethod                             algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>                     </xenc:encryptionmethod>                     <ds:keyinfo>                         <ds:x509data>                             <ds:x509certificate>miiebzccau+gawibagijakfbsy8exeytma0gcsqgsib3dqebcwuamigzmqswcqydvqqgewjjtjel makga1uecawcs0exejaqbgnvbacmcujhbmdhbg9yztesmbaga1uecgwjumfpbknsb3vkmqswcqyd vqqldajjvdebmbkga1ueawwsbg1zlmfzc2vzc3jpdguuy29tmsswkqyjkozihvcnaqkbfhxqzxjy ewt1cmlhbkb0zwftcmfpbmnsb3vklm9tmb4xdte1mtawnte4mduwn1oxdti1mtawnde4mduwn1ow gzkxczajbgnvbaytaklomqswcqydvqqidajlqtesmbaga1uebwwjqmfuz2fsb3jlmriweaydvqqk dalsywluq2xvdwqxczajbgnvbasmaklumrswgqydvqqddbjsbxmuyxnzzxnzcml0zs5jb20xkzap bgkqhkig9w0bcqewhgplcnj5a3vyawfuqhrlyw1yywluy2xvdwqub20wggeima0gcsqgsib3dqeb aquaa4ibdwawggekaoibaqchj08jtkew2jpueifsm8vvjtskotkhpsjhuktevshy1ms2+bkpovzr lrasvnrzxfbg95hqe5/slgvx2k58dbkb/t1avxddn6l/v2wfpyvhilrfvc4s1ndnrdgtmna6jlur r7dtukms7uiut+rivxh9s4mdj6q5yo2hi0tidsssld/wxden6siyu0ulrbt/cxhjphgnx8au59in bdfikd8m8y1wdmzuxalygohikjwugblfoxctfku6fdtloyw6uxkdyo8wt0cf2k9u9uxm47xkc5/o rcrkkl2kduwoekksrtwz8gswwiab1qeokbbkasvofepvmsazof7wxbshxhilagmbaagjudbomb0g a1uddgqwbbrcd7md6na1pdlwselasz+vj8g0sjafbgnvhsmegdawgbrcd7md6na1pdlwselasz+v j8g0sjambgnvhrmebtadaqh/ma0gcsqgsib3dqebcwuaa4ibaqbpj0rv+glpb51+0w8gclzr38vb byd2rpsfy3h+5gnjmbxo4hdqip4vcarvynhh2ux0p87mprdryakdf+wolgtuzg0rpqlyaenvmecc osyo9hmy+mfipzxecasu96fkh6ihwmxdljecucjqo06xrfemks4nvrijmasrcpg3ko+vz55zn3hb oandcxqt6x0o4ml5zvsrds+yk4b4dtvzgrerz2/akckdyjnunaa9unbe1aqxij4hggyopafxwjnt dgsgihnk3b8ru3c5sdicxjvyebgtjfa/q0aety9gpavlwkp6y4kcincl5t00j0iwchm/fnsxivil nromrvixc9eu</ds:x509certificate>                         </ds:x509data>                     </ds:keyinfo>                     <xenc:cipherdata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">                         <xenc:ciphervalue>ewo8qu6wq/rdo06doiitkyix8fjtio1gltdg1rz9x+r6hhkxujkjupthf4idk2k3cof8uwfpdpnp f95/eozyfwavmi8vdh1hv8dcez+arklicqyywgzc2zrk4zetslkiznzemqf8ficpd/f+jqhfz0xx o5ya0jkouel25iw7+3vvpowwxmjbzrzn3kmtmom3wic5dqqnkoojjfdunlsax8ptkn8ciqfqeig1 /2eytbiw+ekvrahcvjye8k5sbexlry3yisx8ep0ty9qbmezkyod4e4dnpxjqsnbbsesrpw6+nnqj 3chx8ofq1eawet+bva+flkx2binwrqicehfdpg==</xenc:ciphervalue>                     </xenc:cipherdata>                 </xenc:encryptedkey>             </ds:keyinfo>             <xenc:cipherdata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">                 <xenc:ciphervalue>ad2hjpuf+fewr0cjvpzknvohk5jvejz55uvpeuwybhxvlk2loo2gvuctziomqmnfcovk19bpajzd ok5ib3ouyu7rhliymjcgt/itj5e5detx25+jbaox+mv9h2lfggnaq70khucdsjvot3xyowicjric jcim4db9ld37mut0c+q3ukuagkv/qknd6ggos2j9cda6djcmgbofouggq69xldbqsqiwsupwd7k1 x6qad/5grnscc2q07fo5oi4olpooi3cjadcm0iyplxniani5vxxddd7h0xq+jsllngf6sn6us+yf d6czk7x/gl5uio6h/+n0ukicqx6zc4dycr+5duizogzjrtedo3esgj13wkboarurfypecrlyiy4k xymv1uftkiw5vkjfxl2vewwqfnj1r5ykr7aijzaetkuh9rxonsbluyyj0hpdtbp2zh7x3dirpna4 hrtgug5x+3clfr6u38jeadss5nkzpgftue0tm9vxjmyefxozseqbhkycpcmfwrlai/2lpck04jn/ exnkooagbnqqd0jfm4lnqfkftktumenovk/wl0ae7wezplmwsl6brffdsslipkghsum3rkkquwwl 4aihn3v/vim46j0cjwf0zjmwplxr/wuboxnelffrqijktvatxhxethahdsabnnxmwt32ufjigubx 5mcydrcuu7p6phwyej44khnolciwpdvigbsue0hj6tenkwo76mjxw2ktoawbakabq/fvbezjbdol red/n+flri/aovfx/hio5ixc1zuye+ulnv8kvcr6xz9qr8hpipxfmxze7iyn0rt8imwicsolhehk lxhwd7ojd7es/hhwidd047ndey/rofnmmxrswscgnv5gk1mcddhomjqfirfn8j9v0b35statqfzf we1vsza3peacnqy6/vdhuai840fgdzmqvasn/r4se5ohkqovk8khhs1zd4ejiimcwc0hrkcxs3x0 maxfmrktljtrrdotkw0hk7uhyjcrkldhenpdrtbkj01po6m50snvmgetx8fzdv2x3s2btpt/sncy bgi/dve5abjrf+nyuzzts7kx+o9nn8wwmfy5giqdd9f3tvtvboqw046gc+lpfwa8ux9qatrkqkjs t8cdw+clmw3oa8zhihxnoksy86m6fuwka4fz2/edpdqrkwnhtnrdmdbofwrjyn0imerq2k3f9zq9 5hef2vmbqvhaxfteldsitetivbyftqxxq5cgujewnrqwgsk5dvbg8nibnhjmjt8ywobcoznbks5x 6khyohdq5hdpfrygj3jpu7fhkyzqqbo8qdqkooacd5ma5eehrvjd2iyjxtkrvufvncqnnj3wiyc+ c+x29i39uhacorfsetaejz33rhucgn8rggcepbrlf/fek4n6bpmsjgmzujekrslzl7rxpu3lamsh bpwxvgwb9bdnx9qgyroz+qdjy1jx6ey2whxx8qektx3wainkfesdzjvhflbzbojazgnuu8/mxqzr 6om8burgvr4jv+pqkmknhk2pywu51vw8i5f2osylrrdd0tplopodvmuejujg/g8amvii+bmqduxx c8vnibgnt5znggpocn/b9dz7c7+y/rs5ucprkowtce+tvaswuh85fgwnzj/g5ihri/st+cv5qwnj xhrq2sdygli1la8k0kjv9kcctnbxenlgtz2itt7hojq3cmog9db0muzgv/lyjvkqso1xgx8lanys k9prhaad0fy+dtonm92elxhsyrr+ygzlf5zsirq2evqr0weapb8jwrdvluroq7yo8g1lg823y900 banx10njhrloovkhq7m996or0og0w41hsjfkamm7brmyyzpqs5b6y4tqi0d+7y+czt8f37jgkmn+ holgmkorjn3vyrn1jw+kvqw7m9cvwgkc68mv5m/navcm6udu6oqyercbkyd+degdl+rilv8pthyk ac/zgr8orutl0hz3vnfo/yry6ml0ss3erneg2nuysjyptuaca68rxuul0kinafz6ayiz0g/zvrii ji0q5qss36vovgfc3zs1h5uf9dkoeuuvklvl62jnxilsdd4zotykcoxw+n0mmao5xgzq4exckujq ns0auqpkrmzz//fabfti0y9yihornadgrl1mqkrmbamdswdnzkzjzhuwii0e9r/vr56i895/x5cv hxr6nwbisvn1sthpekqd25haqrpd6galjmbzjlqysshnszrfimyeroafsudl/ld+qlr7vp8q3qxa lt6f50dtfn3dlwq/q1bpaaqtgnpabvzaedvh8fnvue0suqt2yk0tkqweaxqbyq/s7bv8qse2cy7r madzoat6cjycpgtfp6juolpvgd9b4hswpbwoyk9oorlgd7mu1jo/dxm1hspt+/hfd5vjk1xgzsis ejjbeduk05wz55awu493xqlunsgrpasfgcekame7t0hr44brsitfcpcozqaadzvbgdg+cmcevhff kb6a40lm2yve/+b1bfkbzri19vdtu7gtq1ehvqkqnuq1v++ef7zd3vibjjhinijqbq0kg3sg1w+s twqoqwsdpexwccxoqjuxwlt5xl201qtqyqccf6ym</xenc:ciphervalue>             </xenc:cipherdata>         </xenc:encrypteddata>     </saml2:encryptedassertion> </saml2p:response> 

while saml response being received @ play below

[debug] - org.apache.xml.security.signature.manifest - verify 1 references [debug] - org.apache.xml.security.signature.manifest - not requested follow nested manifests [debug] - org.apache.xml.security.utils.elementproxy - setelement("ds:reference", "") [debug] - org.apache.xml.security.utils.elementproxy - setelement("ds:transforms", "") [debug] - org.apache.xml.security.algorithms.jcemapper - request uri http://www.w3.org/2001/04/xmlenc#sha512 [debug] - org.apache.xml.security.utils.resolver.resourceresolver - asked create resourceresolver , got 0 [debug] - org.apache.xml.security.utils.resolver.resourceresolver - check resolvability class org.apache.xml.security.utils.resolver.resourceresolver [debug] - org.apache.xml.security.utils.resolver.implementations.resolverfragment - state can resolve reference: "#_3b44b10eeb4a12dcf2abfe318a01885e" [debug] - org.apache.xml.security.utils.resolver.implementations.resolverfragment - try catch element id _3b44b10eeb4a12dcf2abfe318a01885e , element [saml2p:response: null] [debug] - org.apache.xml.security.utils.elementproxy - setelement("ds:transform", "") [debug] - org.apache.xml.security.transforms.transforms - perform (0)th http://www.w3.org/2000/09/xmldsig#enveloped-signature transform [debug] - org.apache.xml.security.utils.elementproxy - setelement("ds:transform", "") [debug] - org.apache.xml.security.utils.digesteroutputstream - pre-digested input: [debug] - org.apache.xml.security.utils.digesteroutputstream - <saml2p:response xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol" destination="http://portal.myapp.in/callback?client_name=saml2client" id="_3b44b10eeb4a12dcf2abfe318a01885e" inresponseto="_ryoorwhqkqx08jkedtd54lx4ar5ebfgwryqn5bz" issueinstant="2016-01-24t18:16:25.262z" version="2.0"><saml2:issuer xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion">https://idp.myapp.in/idp/shibboleth</saml2:issuer><saml2p:status><saml2p:statuscode value="urn:oasis:names:tc:saml:2.0:status:success"></saml2p:statuscode></saml2p:status><saml2:encryptedassertion xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion"><xenc:encrypteddata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" id="_1d9472da7abbc00140a313b15b4a6874" type="http://www.w3.org/2001/04/xmlenc#element"><xenc:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:encryptionmethod><ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:encryptedkey id="_d87aeb230d3dc2281f31f0ad9df7bfee" recipient="http://portal.myapp.in/saml"><xenc:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:digestmethod></xenc:encryptionmethod><ds:keyinfo><ds:x509data><ds:x509certificate>miidhjccam6gawibagievqtnkzanbgkqhkig9w0baqufadcbhdelmakga1uebhmcsu4xczajbgnv bagtaktbmriweaydvqqhewlcyw5nywxvcmuxejaqbgnvbaotcvjhaw5dbg91zdewmbqga1uecxmn umfpbknsb3vkierldjeomcyga1ueaxmfahr0cdovl3bvcnrhbc5yywluy2xvdwquaw4vc2ftbdae fw0xnjaxmjqxntayndnafw0ynjaxmjexntayndnamigemqswcqydvqqgewjjtjelmakga1uecbmc s0exejaqbgnvbactcujhbmdhbg9yztesmbaga1uechmjumfpbknsb3vkmrywfaydvqqlew1sywlu q2xvdwqgrgv2msgwjgydvqqdex9odhrwoi8vcg9ydgfslnjhaw5jbg91zc5pbi9zyw1smiibijan bgkqhkig9w0baqefaaocaq8amiibcgkcaqeaswyenta5skysm0f4blhaawp/uwbh8r6q+nwpgouk ezbz0t1hvev5u4irsnzxrcwe+qmnmmhjuyoi4xabtz3dxds3ihyqbz96/aydnbhoc0g1yv5xpmnj ch+z+atjpmtatqd8zofefmuebxm1yysizjijei6rfakm8qpzgpmu6tzv+fshqckhsdyhbo4ps120 trcskm4x5goyw4hjbkl7t7wwsjqovl8tsmfythzxerv3f/e9uscb52sfpnrc2nslarsoqvu59156 tfoku86gyhkjngm8wx/cura8fc9jsqcl/gahe5rzvby63llquvsfk2cqw7o2yje+6gfawfltowid aqabma0gcsqgsib3dqebbquaa4ibaqakzplph0tk+mspya1p7cd8eso7d8c+xh0rn07c5/ieyyrp 0ynispd6ffegaxbpk7tmiwealfviegslzqxlw/bpqrl1ooasb++ligotedj2lpjnsygvu1b8v6ze 6vi8+yjy1vhg9k94ll5+3w8jg7ufzhodxzchjitec948mqei+27cjglsh4m1yddmdbz1oaehbb/8 y00zmipddx9p/ww20wgywvt1a3vlthx02bbb70vp5/tnecimu8gvur2ku2zrdrrc39paxh2rt8n8 b7kbwrq0i+0pgc8jaf/gskxepuzjtgbjya2phv51qsgar+nbergzjtsjqudsnbrs6omf</ds:x509certificate></ds:x509data></ds:keyinfo><xenc:cipherdata><xenc:ciphervalue>ljizaaggldyqs4aj3y2sjbbnqhf+4epkhq9kuigdophitxclarrqpsuxo+9dlqnhfllhvfk+ybkg oytkmhtq+ua9otktgldrkwwanhriailfiw3ajtmxsfe0sbjfbnhoweryk0empppa+2q3d+erxjgs 0ra14nofwentx8s/utl1uwoewfnijobsvxhbwqb3arxk92nxfjnrnedaavp73mpkhib9n51glvnt yjyqn+yum1mhbfxzxn7kmvtcborhcz2oyhfq9zsvkja0no+mswzkiuf0fbg2twrbabd/zectty/u lgur4akqpffumvl3kouorjhvrq4ipzgw8ba7oq==</xenc:ciphervalue></xenc:cipherdata></xenc:encryptedkey></ds:keyinfo><xenc:cipherdata><xenc:ciphervalue>zw0b1jmtwtbx6gdm/l6hzerghdde+i9tnswiwjvlmsiw2s9lbeji/+bajs7wn1pifds06oipt+1a rq8xj5femjem7x3v0zjmvsvhmlt2zxryqn35cvoo7kt6qbqvrrrupiwzdqunmia3uzlf/iw3quoj 1nb6li2qtolsueoqxfvxvjk7wfnweculslrjqu6o26bdq8ym79cwkkjf2ujgeerjc+9v5qc/0ipf ndjgamj8dtztrok2kemjqqhhsredscxyugu5sryemahrte+szof3fnb+1mzcom70dynd5tql666w awwisxwicmdqeugzvdjir8negx454cx4rmhdnanptcwwvruorjdmrqvp2umtan2t1vvl/tdrgfy4 mr+oijh/lu4oaqmuju5/afslhvp8rj0x1swufuja/swssbz6vbs09ggmuj517zhjtycxh5jnbgka dmfs4zf0atgnd2qjpxxartsmcjsxykyau7bqoroy9fmczinooouvhqbayac7v9j1jmduxdz/9/cp j+voca895qkzkr7frpojyxqehgpvpxkwpa0knb4llzo+m7+49nygpp85ishld/ae8qkyjahwjuw9 4hc2fnuhflpnhnprszqt4jq4nshvjrp/ijdmnj2mwz4iqcocbtrv9nvvk7jpfljcajic9uesyl7e vaat4q0xx3pvtbe71dnmprrcird0zxbxflifqmkrukgtxv00ncf4ztsukum9/3c2xy7aeadrdhg4 ova06voh9agvf0viigjy1hno+qzzwzhd8ct+h5eztliiitrvftk9c2tyewptbg/wehvokrdclshw dr1sov9es3fsjcwzkn5gqc7ip1bso7qeyz2fvluxf7eofvtqbhig9hozau3jl9fz+yonhyyntkxj 9j7d55zmspjsiufywfeqo3ailbmh3k3rm0wsg9vgckr0rlcbv9gyzf40u+8i2jzvr3ejr8thbjwh 329hjqiymwypxoogln+gbqcir2txaspyabuo2oufzbja/cyf4qmfkmfzxuttq3cadi/6vyr30qod oxit6cvunwok5rtjwihxm72tvnzmxms6e4oz5kdgsqdtf8azo9gpbshlvpxn4ekjpuwi6wg5hqan qcqxjstlekm+md0uchk4onzi8v71kzevqrl3mi6cxv7puk/0q0ttyzghgx3ms0ppc1s/rldbzixd gpox1gdztev/pzfnf3q4phr+czly/tmkycpq5hfnsy/puykkfy6pmudanmtrazidjfsp0qhny0+c 7lcb7tpwkv2ddn7isbychuzxvrroafchf2wv73ygfnifrtxg9mrh0rfmo9pbnunsapy6hduudvox esdd+uxrwg8gsjnmk7v5/y9edggmkbblwazldgslyirdjm8uaza2uyvgp3khubte16nv51mphqtx mmuexou7sr0fr4xp4f4nouevzahepcifkc8kw2jodud/uyvob5x/f1ygkz0s9+0gddq761ld1xgt xbfqoycgq2xhpywqco2dbjtha93kelitw4caywwvlf7vzqmwksa0jlxjqbqcey0hauncmsi5qfdg y2qk/bzcaxi/ult+ja9bq6eermxjguefzcjvkwq1uqr3e4fdsp3qbmarhzsz4th4z6xffm0fi1+4 jwl+v6ihrncc9fv6vsiy2uiggwnm5dtn5ez3iugvovssgzxshv86wpwjo0y67gsr5qsvpxc8macm xetx+kplesvpm3fckjotixojpgeoimm40ltqktoyh3xwa3uy/e+rvicvckgjph9gjjgq007bra/f 6aqf3pnwphx7fvbqq5ys5vxz5d92esgija+oiad85+alcoe+sid9pqpaozhwg7ntqwfxwiosrlr3 xn65fiefwtlbghlffeulnxmwngocowng6ah92z/5gedwj/3odbj49ywvaih05krxsjuvv0ug1vej jn79hr3fp9b3nfsjjcma8gjffjeu9hrbuorsy2fb0qv41yj5btl+gq2kxk7dfmurecyplfuuaao7 ismcsxb6q93tavrfdj5vrdv8wncnik0a0/s149jdpyqy3nid4gbjbg7hvfp8qdwdhzfzi68hawcb gnwzssn5l/5zuntyc7kyjmdzzxv78k5e8pwmo3j/1wzuohhkhlu/djfpvvyya6khlgolkjl4cluo f0iu+41l3ls1siaf2fbpid0dy9q+t/dati0nrbuksppkgbi+krig9qnfj1kdgfsmici8ydm1750j zuycvlegxzfuyld99reaha8htam+jl5x+rht49y+4v8vjwgynxnphmyvtrrdkn28/y8=</xenc:ciphervalue></xenc:cipherdata></xenc:encrypteddata></saml2:encryptedassertion></saml2p:response> 

really not sure doing wrong here. appreciate in matter.

you need import idp's certificate keystore. keytool should ask if want trust certificate, you'll answer 'yes' (after visually verifying fingerprints, of course).

the certificate in idp metadata xml file should have (they should match).


Comments