You are implementing BCCA (Auth Connector) as a SAML IdP on your environment.
After completing the configuration, the end users' browsers load a white page with an error.
Checking the HTTP headers in a SAML trace or in a Fiddler capture shows the BCCA Server returning error 500 (Internal Server Error).
In BCCA logs:
“2018/08/23 19:27:22.365  Failed to sign document: 0xa60005(10878981)”
In HTTP capture or SAML trace:
500 (Internal Server Error)
The SAML Certificate that is created by the BCCA server couldn't be self-signed because the BCCA service user doesn't have the right permissions.
Make sure to assign a user with enough permissions to the BCCA service. You can test if assigning a Domain Administrator fixes the problem. Then tweak the permissions for the account you intend to have assigned to the service.
After you have changed the user (or if the assigned user already has administrative privileges), follow this procedure to delete and recreate the certificate:
Stop the BCCA service.
Delete the certificate from the certificate store / MMC snap-in in Windows:
Certificates (Local Computer) > Personal > Certificates
Note: The cert ends with "saml.auth"
Delete the certificate from the BCCA directory that can be found in Program Files (x86) > Blue Coat Systems > BCCA.
Restart the BCCA service to generate the new certs.
Remove the certificate from Portal (Service > Authentication > SAML) and import the new certificate that was generated in the BCCA directory.
Stop and restart the BCCA service one more time.
Test SAML once again. The BCCA should be able to get the private key for the cert correctly.
For reference, this is a good self-signed certificate generated during the Auth Connector's installation:
Subscribing will provide email updates when this Article is updated. Login is required.