Scenario:
I have an application that is deployed on-premise at my customers’ location. They wish to login using SSO service provided by Okta.
Issue:
I’m using the following as a first step towards understanding how okta works and how SSO using SAML 2.0 support can be provided into my application:
The above application works fine when run in local laptop - login and logout works correctly using okta authentication.
The same application when put as a servlet into my local development server (192.168.x.y, under apache-tomee/webapps/sso.war), I can open the 192.168.x.y/sso address in url which open up okta user authentication page. Upon entering the correct credentials, I get a blank page and the following error:
Exception: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Exception: cause: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What I tried to move past the above error:
- Adding CA bundle to existing cacerts file:
keytool -importcert -file okta-com-chain.pem -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -alias “oktaChain”
The SSL certificate used is taken from the address bar after logging into okta dashboard.
- I also tried disabling check for ssl by adding following to catalina.sh:
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.net.ssl.checkRevocation=false"
In both cases above, tomee restart is valided occurred by checking process id.
The error mentioned earlier persists.
I need your help.
For my java+jsp application, I’m trying to achieve SSO using SAML 2.0 and it should support okta.
Also, am i referring to the correct sample codes?