Problem with SAML addon deployed in UberJar

igor.sovcik · August 12, 2020, 11:40am

Hi,

i am getting same issue in UberJar platform version 7.2.7 SAML v0.4.2
also in not deployed aplication.

13:51:52.039 ERROR c.h.a.s.w.s.s.SamlCommunicationServiceBean- Failed to get SP metadata
java.lang.NullPointerException: invalid null input
	at java.base/java.security.KeyStore$PrivateKeyEntry.<init>(KeyStore.java:539) ~[na:na]
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetEntry(PKCS12KeyStore.java:1351) ~[na:na]
	at java.base/sun.security.util.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:166) ~[na:na]
	at java.base/java.security.KeyStore.getEntry(KeyStore.java:1555) ~[na:na]
	at org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:132) ~[xmltooling-1.4.6.jar:na]
	at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57) ~[xmltooling-1.4.6.jar:na]
	at org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:30) ~[xmltooling-1.4.6.jar:na]
	at org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:26) ~[xmltooling-1.4.6.jar:na]
	at org.springframework.security.saml.key.JKSKeyManager.resolveSingle(JKSKeyManager.java:171) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]
	at org.springframework.security.saml.key.JKSKeyManager.getCredential(JKSKeyManager.java:191) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]
	at org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:205) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]
	at org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]
	at org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]
	at com.haulmont.addon.saml.saml.internal.impl.SamlConnectionsMetadataManagerImpl.generateSpProvider(SamlConnectionsMetadataManagerImpl.java:195) ~[saml-addon-web-0.4.2.jar:na]
	at com.haulmont.addon.saml.saml.internal.impl.SamlConnectionsMetadataManagerImpl.generateSpMetadata(SamlConnectionsMetadataManagerImpl.java:262) ~[saml-addon-web-0.4.2.jar:na]
	at com.haulmont.addon.saml.web.security.saml.SamlCommunicationServiceBean.getSpMetadata(SamlCommunicationServiceBean.java:265) ~[saml-addon-web-0.4.2.jar:na]
	at com.haulmont.addon.saml.web.samlconnection.SamlConnectionEdit$1$1.run(SamlConnectionEdit.java:124) ~[saml-addon-web-0.4.2.jar:na]
	at com.haulmont.addon.saml.web.samlconnection.SamlConnectionEdit$1$1.run(SamlConnectionEdit.java:118) ~[saml-addon-web-0.4.2.jar:na]
	at com.haulmont.cuba.web.gui.executors.impl.WebBackgroundWorker$WebTaskExecutor.call(WebBackgroundWorker.java:205) ~[cuba-web-7.2.7.jar:7.2.7]
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
	at com.haulmont.cuba.web.gui.executors.impl.WebBackgroundWorker$WebTaskExecutor.lambda$startExecution$1(WebBackgroundWorker.java:376) ~[cuba-web-7.2.7.jar:7.2.7]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
13:51:52.039 ERROR c.h.a.s.w.s.SamlConnectionEdit          - Failed to load sp metadata
java.lang.RuntimeException: Error in SP metadata: invalid null input
	at com.haulmont.addon.saml.web.security.saml.SamlCommunicationServiceBean.getSpMetadata(SamlCommunicationServiceBean.java:268) ~[saml-addon-web-0.4.2.jar:na]
	at com.haulmont.addon.saml.web.samlconnection.SamlConnectionEdit$1$1.run(SamlConnectionEdit.java:124) ~[saml-addon-web-0.4.2.jar:na]
	at com.haulmont.addon.saml.web.samlconnection.SamlConnectionEdit$1$1.run(SamlConnectionEdit.java:118) ~[saml-addon-web-0.4.2.jar:na]
	at com.haulmont.cuba.web.gui.executors.impl.WebBackgroundWorker$WebTaskExecutor.call(WebBackgroundWorker.java:205) ~[cuba-web-7.2.7.jar:7.2.7]
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
	at com.haulmont.cuba.web.gui.executors.impl.WebBackgroundWorker$WebTaskExecutor.lambda$startExecution$1(WebBackgroundWorker.java:376) ~[cuba-web-7.2.7.jar:7.2.7]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

Also when i try to click on OK button at bottom i get this:

igor.sovcik · August 12, 2020, 2:04pm

At the moment it looks like there is also a problem with SSO path url which google provides:

https://accounts.google.com/o/saml2/idp?idpid=C045ag7y5

compared to this one from sso circle:

https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/publicidp

shalyganov · August 18, 2020, 12:49pm

Hi, @igor.sovcik

This error has likely occured because of the incorrect JKS file. You can find out more information about generating JKS in the Spring docs or in the keytool utility docs. For the testing purposes you can use the samlKeystore.jks provided by Spring sample project. In the keystore editor screen specify login: apollo, password: nalle123.

SSO Path parameter is actually used to identify the SAML connection and used as the value for the tenant parameter. So, it is the addon-specific property and does not relate to the actual IDP url.

Recently, we have updated the SAML demo project to the latest CUBA 7.2.7 version, so please try it out.

Regards,
Gleb

igor.sovcik · August 20, 2020, 8:31am

Thank you @shalyganov Can you direct me with settings?
this is screenshot from google side settings. I am not sure what to put into ACS URl and start URL and also how to set Name ID format.

With settings in screenshot i am getting into some kind of browser redirect loop where Cuba app redirects to IDP and IDP back to Cuba app.

igor.sovcik · August 20, 2020, 11:21am

In app log i can only see this:
this log is collected trough one redirect cycle

2020-08-20 11:49:35.878 DEBUG [qtp2023938592-23] org.opensaml.ws.message.encoder.BaseMessageEncoder - Successfully encoded message.
2020-08-20 11:49:36.597 DEBUG [qtp2023938592-249] com.haulmont.addon.saml.web.security.saml.SamlLoginHttpRequestFilter - Redirecting to SAML connection 'google' login page
2020-08-20 11:49:36.621 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of desktop
2020-08-20 11:49:36.621 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: desktop
2020-08-20 11:49:36.621 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of desktop
2020-08-20 11:49:36.622 DEBUG [qtp2023938592-23] org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2020-08-20 11:49:36.622 DEBUG [qtp2023938592-23] org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2020-08-20 11:49:36.622 DEBUG [qtp2023938592-23] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2020-08-20 11:49:36.622 DEBUG [qtp2023938592-23] org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2020-08-20 11:49:36.622 DEBUG [qtp2023938592-23] org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2020-08-20 11:49:36.622 DEBUG [qtp2023938592-23] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2020-08-20 11:49:36.623 DEBUG [qtp2023938592-23] org.opensaml.xml.parse.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
2020-08-20 11:49:36.623 DEBUG [qtp2023938592-23] org.opensaml.xml.parse.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
2020-08-20 11:49:36.624 DEBUG [qtp2023938592-23] org.opensaml.xml.parse.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
2020-08-20 11:49:36.624 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor for entity https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selecting default IndexedEndpoint
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selected IndexedEndpoint with explicit isDefault of true
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selecting default IndexedEndpoint
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selected IndexedEndpoint with explicit isDefault of true
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selecting default IndexedEndpoint
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selected IndexedEndpoint with explicit isDefault of true
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selecting default IndexedEndpoint
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selected IndexedEndpoint with explicit isDefault of true
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.ws.message.encoder.BaseMessageEncoder - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder - Deflating and Base64 encoding SAML message
2020-08-20 11:49:36.625 DEBUG [qtp2023938592-23] org.opensaml.ws.message.encoder.BaseMessageEncoder - Marshalling message
2020-08-20 11:49:36.626 DEBUG [qtp2023938592-23] org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder - Building URL to redirect client to
2020-08-20 11:49:36.627 DEBUG [qtp2023938592-23] org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder - Generating signature with key type 'RSA', algorithm URI 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' over query string 'SAMLRequest=fZHNTsMwEIRfxdp7E9dt2mA1rUoRAglE1QQO3JZkm1pN7JB1Knh7Qn8EXDj4YHlmZz3fbPFRV%2BJALRtnExgGEgTZ3BXGlgk8Z7eDGBbzGWNdqUYvO7%2BzG3rviL3ojZb16SWBrrXaIRvWFmti7XOdLh8ftAqkblrnXe4qEEtman0ftXKWu5ralNqDyel585DAzvuGdRgWxHvvmgA9WQx4r%2BPxeBRi04TfYWGaPoG46TcwFv1x64sR89x11nNQOldWFOSuDt3RpEJTNIv%2BmCJZyXGE5fQzAnHr2pyOn0pgixUTiPubBFBdldMyJtwNUcpdrCbboiyMnEYRIapexGtkNgf6sTF3dG%2FZo%2FUJKKnkQMYDJbPhUI%2Bv9GgSTFT0CmJ9ruLa2FPF%2F%2FX2dhKxvsuy9WD9lGYgXi6oegGcwehjevubyP%2BD8YIB5ueyZ%2BHvSfPz9S%2Fx%2BRc%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1'
2020-08-20 11:49:36.627 DEBUG [qtp2023938592-23] org.opensaml.xml.security.SigningUtil - Computing signature over input using private key of type RSA and JCA algorithm ID SHA1withRSA
2020-08-20 11:49:36.630 DEBUG [qtp2023938592-23] org.opensaml.xml.security.SigningUtil - Computed signature: 88683f1e1957ebd94193a3d8058defa16395c9672d5f2213c27f49faa5e45dbbc5ffc76db431fe1d680aabd70eef1cda03e59908bfe5f219ab9560638c12f270467207c9a6e1bcf33bc8a59bc9d7f30e1fb2f0750609c3cfa46a55829a3a69a97949d171ab47207388eeca223a44a70f7e3373af2c08722c03f57b151b8a09dff0a82ab4d2f4d9b10f93c211dea5cd1fc8d9f3d92e97970110876c3cc33d52e189f686ba2207074012b86c722710352ce24bc46865e414df0d9de1dbed27f338fb060388892e03a32ca97137f6a713d88c9ab6ef9f82c71b400f4858f8f1c84af9ead93a3d9fbf2a07d5727d4bd9dd42ed4c0d55391d3e76cdcf66ad8d5fa9cf
2020-08-20 11:49:36.630 DEBUG [qtp2023938592-23] org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder - Generated digital signature value (base64-encoded) iGg/HhlX69lBk6PYBY3voWOVyWctXyITwn9J+qXkXbvF/8dttDH+HWgKq9cO7xzaA+WZCL/l8hmrlWBjjBLycEZyB8mm4bzzO8ilm8nX8w4fsvB1BgnDz6RqVYKaOmmpeUnRcatHIHOI7soiOkSnD34zc68sCHIsA/V7FRuKCd/wqCq00vTZsQ+TwhHepc0fyNnz2S6XlwEQh2w8wz1S4Yn2hroiBwdAErhscicQNSziS8RoZeQU3w2d4dvtJ/M4+wYDiIkuA6MsqXE39qcT2Iyatu+fgscbQA9IWPjxyEr56tk6PZ+/KgfVcn1L2d1C7UwNVTkdPnbNz2atjV+pzw==
2020-08-20 11:49:36.631 DEBUG [qtp2023938592-23] PROTOCOL_MESSAGE - 
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://desktop.atena.sk:8443/app/saml/SSO" Destination="https://accounts.google.com/o/saml2/idp?idpid=C045ag7y5" ForceAuthn="false" ID="a29g7g8eah1a00h826fdgdi0755eaa2" IsPassive="false" IssueInstant="2020-08-20T11:49:36.625Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">desktop</saml2:Issuer>
</saml2p:AuthnRequest>

igor.sovcik · August 20, 2020, 12:03pm

Name ID format is as follows, which option shoul i use on IDP side:

igor.sovcik · August 26, 2020, 6:49am

@shalyganov Hi, do you have any advice on this topic? I guess this could be helpfull for many Enterprise Gsuite+Cuba-platform users in future. I am still stuck with redirect loop mentioned above.

shalyganov · August 26, 2020, 11:44am

@igor.sovcik,

ACS URl can be found in the generated SP metadata. It is ending with: .../app/saml/SSO by default.

Entity ID should be the same as the one you specified in the SAML Connection:

Start URL parameter can be omitted.
By default, EMAIL is used as the Name ID format, so please try using it.

Unfortunately, i don’t have an account in GSuite, so I’m not able to test these settings by myself. So please, try it and share the results.

Regards,
Gleb

igor.sovcik · August 26, 2020, 12:12pm

With this settings:

I get on screeen HTTP ERROR 500:

java.lang.NoClassDefFoundError: Could not initialize class org.apache.commons.ssl.TrustMaterial
	at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359)
	at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201)
	at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176)
	at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.extractCertificates(InlineX509DataProvider.java:192)
	at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.process(InlineX509DataProvider.java:126)
	at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChild(BasicProviderKeyInfoCredentialResolver.java:300)
	at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChildren(BasicProviderKeyInfoCredentialResolver.java:256)
	at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfo(BasicProviderKeyInfoCredentialResolver.java:190)
	at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.resolveFromSource(BasicProviderKeyInfoCredentialResolver.java:149)
	at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
	at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
	at org.opensaml.security.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:275)
	at org.springframework.security.saml.trust.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:123)
	at org.opensaml.security.MetadataCredentialResolver.resolveFromSource(MetadataCredentialResolver.java:178)
	at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
	at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
	at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:98)
	at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
	at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:271)
	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419)
	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:292)
	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
	at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
	at com.haulmont.addon.saml.web.security.saml.SamlLoginHttpRequestFilter.doFilter(SamlLoginHttpRequestFilter.java:81)
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
	at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
	at com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:93)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
	at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1711)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1347)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1678)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1249)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.Server.handle(Server.java:505)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:427)
	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
	at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:917)
	at java.base/java.lang.Thread.run(Thread.java:834)

Here is log from app.log:

2020-08-26 12:20:41.727 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of desktop
2020-08-26 12:20:41.727 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: desktop
2020-08-26 12:20:41.727 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of desktop
2020-08-26 12:20:41.728 DEBUG [qtp2023938592-14288] org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2020-08-26 12:20:41.728 DEBUG [qtp2023938592-14288] org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2020-08-26 12:20:41.728 DEBUG [qtp2023938592-14288] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2020-08-26 12:20:41.728 DEBUG [qtp2023938592-14288] org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2020-08-26 12:20:41.728 DEBUG [qtp2023938592-14288] org.opensaml.xml.security.credential.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2020-08-26 12:20:41.728 DEBUG [qtp2023938592-14288] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2020-08-26 12:20:41.729 DEBUG [qtp2023938592-14288] org.opensaml.xml.parse.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
2020-08-26 12:20:41.729 DEBUG [qtp2023938592-14288] org.opensaml.xml.parse.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
2020-08-26 12:20:41.730 DEBUG [qtp2023938592-14288] org.opensaml.xml.parse.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
2020-08-26 12:20:41.731 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-26 12:20:41.731 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-26 12:20:41.731 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-26 12:20:41.731 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor for entity https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://accounts.google.com/o/saml2?idpid=C045ag7y5
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selecting default IndexedEndpoint
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selected IndexedEndpoint with explicit isDefault of true
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selecting default IndexedEndpoint
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selected IndexedEndpoint with explicit isDefault of true
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selecting default IndexedEndpoint
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selected IndexedEndpoint with explicit isDefault of true
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selecting default IndexedEndpoint
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.metadata.support.SAML2MetadataHelper - Selected IndexedEndpoint with explicit isDefault of true
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.ws.message.encoder.BaseMessageEncoder - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder - Deflating and Base64 encoding SAML message
2020-08-26 12:20:41.732 DEBUG [qtp2023938592-14288] org.opensaml.ws.message.encoder.BaseMessageEncoder - Marshalling message
2020-08-26 12:20:41.735 DEBUG [qtp2023938592-14288] org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder - Building URL to redirect client to
2020-08-26 12:20:41.735 DEBUG [qtp2023938592-14288] org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder - Generating signature with key type 'RSA', algorithm URI 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' over query string 'SAMLRequest=fZFRT8IwFIX%2FSnPf2Uq3ATYMghIiCQbipg%2B%2B1e0yK1s7dzui%2F945IOKLD31oes49t%2Bebzj%2Brkh2xIW1NDEOPA0OT2VybIoandDWYwHw2JVWVopaL1r2ZR%2FxokRzrjIbk6SWGtjHSKtIkjaqQpMtksnjYSOFxWTfW2cyWwBZE2Lgu6s4aaitsEmyOOsOnx00Mb87VJH0%2FRzo4W3vKoVEeHeQkDANf1bX%2FE%2BYnyRbYsttAG%2BX6rS9GlWW2NY68wtqiRC%2BzlW97k%2FB1Xs%2B7o%2FP4joeRKsZfEbCVbTLsPxXDXpWEwNbLGFQkco4Y7m%2BifcDDIAjfowkXQx2MwlH%2BI6KdItJH%2FLURtbg25JRxMQgu%2BIBPBmKUDoUUXIZDbxyIF2C7cxW32pwq%2Fq%2B315OI5H2a7ga7bZICe76g6gRwBiP79OaayP%2BD1QUDzM5lT%2F3rSbPz9S%2Fx2Tc%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1'
2020-08-26 12:20:41.735 DEBUG [qtp2023938592-14288] org.opensaml.xml.security.SigningUtil - Computing signature over input using private key of type RSA and JCA algorithm ID SHA1withRSA
2020-08-26 12:20:41.739 DEBUG [qtp2023938592-14288] org.opensaml.xml.security.SigningUtil - Computed signature: 0e01bea07199451ebb9a8acbb3e86639fd7034365ac91ab066e29918aeaf410b096c5e1d245402a6046630bdc436d23d6ee623c84c047c488a8924db41763444193f44fc7285461b1e6fd1bf111cd591372b55767569f2e2de7ba8f15d4dd0196ad6b8b528c886600ae28c36604509ff661c544fd4debba39865887ffd95dadf5c9239b92693979d8e336a19b8ffdb2f75b9ba5c658498b5a4781494324c434f646fad71137174e62a18f746b5c6b1440da54aa1f34ced0aa649f343173bb63dd23de2cf01bf2d405914d748eedb4a9af48670bbfd7c34835150c72fea8c918cfde163445d679239133d96e2001c861aa14e694e35978da5d871f668455fb5a4
2020-08-26 12:20:41.739 DEBUG [qtp2023938592-14288] org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder - Generated digital signature value (base64-encoded) DgG+oHGZRR67morLs+hmOf1wNDZayRqwZuKZGK6vQQsJbF4dJFQCpgRmML3ENtI9buYjyEwEfEiKiSTbQXY0RBk/RPxyhUYbHm/RvxEc1ZE3K1V2dWny4t57qPFdTdAZata4tSjIhmAK4ow2YEUJ/2YcVE/U3rujmGWIf/2V2t9ckjm5JpOXnY4zahm4/9svdbm6XGWEmLWkeBSUMkxDT2RvrXETcXTmKhj3RrXGsUQNpUqh80ztCqZJ80MXO7Y90j3izwG/LUBZFNdI7ttKmvSGcLv9fDSDUVDHL+qMkYz94WNEXWeSORM9luIAHIYaoU5pTjWXjaXYcfZoRV+1pA==
2020-08-26 12:20:41.743 DEBUG [qtp2023938592-14288] PROTOCOL_MESSAGE - 
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://desktop.atena.sk:8443/app/saml/SSO" Destination="https://accounts.google.com/o/saml2/idp?idpid=C045ag7y5" ForceAuthn="false" ID="a52d0ee4f95f304334j58021i3646de" IsPassive="false" IssueInstant="2020-08-26T12:20:41.732Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">desktop</saml2:Issuer>
</saml2p:AuthnRequest>

2020-08-26 12:20:41.744 DEBUG [qtp2023938592-14288] org.opensaml.ws.message.encoder.BaseMessageEncoder - Successfully encoded message.
2020-08-26 12:20:42.514 WARN  [qtp2023938592-14289] org.eclipse.jetty.server.HttpChannel - /app/saml/SSO
java.lang.RuntimeException: Failed to determinate SAML connection
    at com.haulmont.addon.saml.saml.internal.impl.SamlConnectionContextProviderImpl.populateConnection(SamlConnectionContextProviderImpl.java:157) ~[na:na]
    at com.haulmont.addon.saml.saml.internal.impl.SamlConnectionContextProviderImpl.getLocalEntity(SamlConnectionContextProviderImpl.java:109) ~[na:na]
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84) ~[na:na]
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[na:na]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[na:na]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) ~[na:na]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185) ~[na:na]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[na:na]
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) ~[na:na]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[na:na]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[na:na]
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[na:na]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[na:na]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[na:na]
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[na:na]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[na:na]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) ~[na:na]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) ~[na:na]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[na:na]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[na:na]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602) ~[app.jar:na]
    at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108) ~[na:na]
    at com.haulmont.addon.saml.web.security.saml.SamlLoginHttpRequestFilter.doFilter(SamlLoginHttpRequestFilter.java:81) ~[na:na]
    at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[na:na]
    at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[na:na]
    at com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:93) ~[na:na]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) ~[app.jar:na]
    at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214) ~[app.jar:na]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) ~[app.jar:na]
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) ~[app.jar:na]
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) ~[app.jar:na]
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1711) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1347) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) ~[app.jar:na]
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) ~[app.jar:na]
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1678) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1249) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152) ~[app.jar:na]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) ~[app.jar:na]
    at org.eclipse.jetty.server.Server.handle(Server.java:505) ~[app.jar:na]
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) ~[app.jar:na]
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) ~[app.jar:na]
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) ~[app.jar:na]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) ~[app.jar:na]
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:427) ~[app.jar:na]
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321) ~[app.jar:na]
    at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159) ~[app.jar:na]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) ~[app.jar:na]
    at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) ~[app.jar:na]
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) ~[app.jar:na]
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) ~[app.jar:na]
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) ~[app.jar:na]
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) ~[app.jar:na]
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) ~[app.jar:na]
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781) ~[app.jar:na]
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:917) ~[app.jar:na]
    at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

igor.sovcik · August 26, 2020, 12:30pm

@shalyganov You can check error log yourself: https://desktop.atena.sk:8443/app

shalyganov · August 27, 2020, 9:00am

It looks like a problem with a keystore.
The issue was discussed here. Could you please check the tomcat logs as well? Do you see the same error stacktrace?

Regards,
Gleb

igor.sovcik · August 27, 2020, 11:52am

Cacert keystore is valid and is located where it is supposed to be. i am running java-11-openjdk-amd64 lib.

I am running aplication as uberJar. Only stacktraces i am able to find are those i allready published here. Can you direct me where can i find some more logs?

My uberJar has configured jettty.xml in following way, if ists any help:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">

    <Configure id="Server" class="org.eclipse.jetty.server.Server">
        <Call name="addConnector">
            <Arg>
                <New class="org.eclipse.jetty.server.ServerConnector">
                    <Arg name="server">
                        <Ref refid="Server"/>
                    </Arg>
                    <Set name="port">8090</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addConnector">
            <Arg>
                <New class="org.eclipse.jetty.server.ServerConnector">
                    <Arg name="server">
                        <Ref refid="Server"/>
                    </Arg>
                    <Arg>
                        <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
                            <Set name="keyStorePath">keystore</Set>
                            <Set name="keyStorePassword">pass</Set>
                            <Set name="keyManagerPassword">pass</Set>
                            <Set name="trustStorePath">keystore</Set>
                            <Set name="trustStorePassword">pass</Set>
                        </New>
                    </Arg>
                    <Set name="port">8443</Set>
                </New>
            </Arg>
        </Call>
    </Configure>

igor.sovcik · August 27, 2020, 1:03pm

@shalyganov i posted jetty.xml config since im guessing that error reported in saml may be reelated to uberJar ssl configuartion. Check this conversation: Spring Security SAML - HTTPS connections - Stack Overflow

igor.sovcik · August 27, 2020, 1:05pm

@shalyganov this is keystore generation shell script i am using for jetty:
certs are obtained from letsencrypt by certbot.

openssl pkcs12 -export \
         -in /etc/letsencrypt/live/$DOMAIN_NAME/cert.pem \
         -inkey /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem \
         -out /tmp/$DOMAIN_NAME.p12 \
         -name $DOMAIN_NAME \
         -CAfile /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem \
         -caname "Let's Encrypt Authority X3" \
         -password pass:$KEY_PASS
keytool -importkeystore \
        -deststorepass $KEY_PASS \
        -destkeypass $KEY_PASS \
        -deststoretype pkcs12 \
        -srckeystore /tmp/$DOMAIN_NAME.p12 \
        -srcstoretype PKCS12 \
        -srcstorepass $KEY_PASS \
        -destkeystore /tmp/$DOMAIN_NAME.keystore \
        -alias $DOMAIN_NAME

igor.sovcik · August 31, 2020, 9:26am

@shalyganov if it will be any help we can create you some account for testing purposes?

Regarding keystore, i am using test keystore from here: samlKeystroe.jks as you sugested.

Only diference configuration wise is that i am using UberJar with Https enabled via jetty.xml since Https is one of requirements of gsuite as well as our internal requirement.

igor.sovcik · September 9, 2020, 6:24am

@shalyganov by any chance, do you have some solution in mind which could make it work?

shalyganov · September 14, 2020, 7:11am

@igor.sovcik,

After some investigation we found out that the issue with org.apache.commons.ssl.TrustMaterial is related to the problem with dependencies in the underlying Spring SAML component. We need to update it to the new version.
I’ve created a ticket and I will also notify you in this topic as soon as we publish an update.

Regards,
Gleb