UntrustedCertificateException: Peer SSL/TLS certificate is not trusted SAML gluu server

Question

I am trying to configure my application (SP) to work with remote IDP. The IDP provided me with a certificate to configure with SP. For SAML request. I get this exception :

org.springframework.security.saml.trust.UntrustedCertificateException: Peer SSL/TLS certificate XXX, issued by XXX is not trusted, add the certificate or it's CA to your trust store and optionally update tlsKey in >extended metadata with the certificate's alias.

Follow certificates (in PEM format) presented by the peer. Content between being/end certificate (including) can be stored in a file and imported using keytool, e.g. 'keytool -importcert -file cert.cer -alias certAlias -keystore keystore.jks'). Make sure the presented certificates are issued by your trusted CA before adding them to the keystore.

why i get this exception?

I am using gluu server and it's shibboleth component.in SP there is an apollo.cert and a samlkeystore.jks . apollo.crt is imported in samlkeystore.jks . I run SP and get metadadata.xml (it contains ds:X509Certificate) and import this file into gluu server . I am confused , where is the problem ? IDP or SP?what can i do to fix that? I really need help.

EDIT :

@Bernahrd,@Guillermo thank you so much for your reply. I still working but can't find out what happen here. I add metadata xml file in idp and sp .

this is gluu idp metadata , to generate idp metadata on gluu server I use https://hostname/idp/shibboleth

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://ubuntu.gluu.info/idp/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <IDPSSODescriptor errorURL="https://ubuntu.gluu.info/identity/feedback.htm"
                      protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <shibmd:Scope regexp="false">ubuntu.gluu.info</shibmd:Scope>
        </Extensions>
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDaDCCAlACCQD165zhtG0q6DANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJ
                        UjELMAkGA1UECAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZ
                        MBcGA1UEAwwQdWJ1bnR1LmdsdXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9y
                        dEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTlaFw0xNzA2MTcyMDMxMTlaMHYxCzAJ
                        BgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVocmFuMQ0wCwYDVQQK
                        DARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcNAQkB
                        FhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
                        AQEAuSkeEK+lK498Yc8OspdYoqoDQLDPs8cF0qE84hLRhdEHU1y++/dzaC6271sV
                        KtTXt/aG1PwBS7unPIMOEKFNJXdO0FHEgt4nkuhq7KUvcR4ckNvL+5Ys5r/3Egzh
                        8nm96Z0jtuUlu1e8b6iAsw+9tYq1olDZO9Hv6hR9V/ZlTolmuZqnXEy3p/47W25p
                        ROLVuR7jIH+cKDVJe8lW1702wWEQWDhxPBJ1fJsMuBA/RiB/J6SBAgkxs/9m513Y
                        +lYaobhqMfocwzt/GAqsq4Fnixf1PldJpi/ZJfnyJ0JOFcLj8YHY/CFRiRm8b3UE
                        1VUYZRTHK9Qc3ryd+KA14QTymwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRS5aR
                        CSPS+3qoWI5wj3f97QEncv0Q80sb0tzumUJIWqDoYWW0ucyRWGiUSSVIBeVJmmmG
                        Yus9ML6Khb1WNCsXZW3GcBfoA8FImTtTBMyXWHpDtR6Ne156kSv2ymmdyipZo6OB
                        iItWjEgAOmRsynxkJASEPhH5RM8iqGAJVBCgU738so0X3e7N5pQSNMKLiCkf8afK
                        EsL9Q61f9RiLImlehkdw3m2B0wKQJZo1Q1D/L7sZzaOXiif3YkcVNO8t0CJpZSog
                        YSKS+2cM7LTDdiNS3YMpcRdcvZTixDMSAfO+7PDTfubio8ADAmjr7Gj7vwzG8sFi
                        PmIqbqM/Ii1e0kD7
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                                   Location="https://ubuntu.gluu.info:9443/idp/profile/SAML1/SOAP/ArtifactResolution"
                                   index="1"/>
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                                   Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/ArtifactResolution"
                                   index="2"/>
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
                             Location="https://ubuntu.gluu.info/idp/profile/Shibboleth/SSO"/>
        <SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest"
                             Location="https://ubuntu.gluu.info/idp/profile/SAML2/Unsolicited/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="https://ubuntu.gluu.info/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                             Location="https://ubuntu.gluu.info/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                             Location="https://ubuntu.gluu.info/idp/profile/SAML2/Redirect/SSO"/>
    </IDPSSODescriptor>
    <AttributeAuthorityDescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <shibmd:Scope regexp="false">ubuntu.gluu.info</shibmd:Scope>
        </Extensions>
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDaDCCAlACCQD165zhtG0q6DANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJ
                        UjELMAkGA1UECAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZ
                        MBcGA1UEAwwQdWJ1bnR1LmdsdXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9y
                        dEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTlaFw0xNzA2MTcyMDMxMTlaMHYxCzAJ
                        BgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVocmFuMQ0wCwYDVQQK
                        DARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcNAQkB
                        FhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
                        AQEAuSkeEK+lK498Yc8OspdYoqoDQLDPs8cF0qE84hLRhdEHU1y++/dzaC6271sV
                        KtTXt/aG1PwBS7unPIMOEKFNJXdO0FHEgt4nkuhq7KUvcR4ckNvL+5Ys5r/3Egzh
                        8nm96Z0jtuUlu1e8b6iAsw+9tYq1olDZO9Hv6hR9V/ZlTolmuZqnXEy3p/47W25p
                        ROLVuR7jIH+cKDVJe8lW1702wWEQWDhxPBJ1fJsMuBA/RiB/J6SBAgkxs/9m513Y
                        +lYaobhqMfocwzt/GAqsq4Fnixf1PldJpi/ZJfnyJ0JOFcLj8YHY/CFRiRm8b3UE
                        1VUYZRTHK9Qc3ryd+KA14QTymwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRS5aR
                        CSPS+3qoWI5wj3f97QEncv0Q80sb0tzumUJIWqDoYWW0ucyRWGiUSSVIBeVJmmmG
                        Yus9ML6Khb1WNCsXZW3GcBfoA8FImTtTBMyXWHpDtR6Ne156kSv2ymmdyipZo6OB
                        iItWjEgAOmRsynxkJASEPhH5RM8iqGAJVBCgU738so0X3e7N5pQSNMKLiCkf8afK
                        EsL9Q61f9RiLImlehkdw3m2B0wKQJZo1Q1D/L7sZzaOXiif3YkcVNO8t0CJpZSog
                        YSKS+2cM7LTDdiNS3YMpcRdcvZTixDMSAfO+7PDTfubio8ADAmjr7Gj7vwzG8sFi
                        PmIqbqM/Ii1e0kD7
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                          Location="https://ubuntu.gluu.info:9443/idp/profile/SAML1/SOAP/AttributeQuery"/>
        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                          Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/AttributeQuery"/>
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
    </AttributeAuthorityDescriptor>
</EntityDescriptor>

Then I add it to SP in shibboleth-idb.xml

this is my SP metadata file that should be add to the gluu idp :

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor ID="http://ubuntu.gluu.info:9090/saml/metadata/alias/defaultAlias"
                     entityID="http://ubuntu.gluu.info:9090/saml/metadata/alias/defaultAlias"
                     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
                        CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
                        MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
                        ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
                        GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
                        ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
                        5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
                        F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
                        qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
                        UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
                        0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
                        82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
                        8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
                        RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
                        bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
                        CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
                        MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
                        ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
                        GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
                        ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
                        5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
                        F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
                        qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
                        UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
                        0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
                        82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
                        8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
                        RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
                        bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                Location="http://ubuntu.gluu.info:9090/saml/SingleLogout/alias/defaultAlias"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="http://ubuntu.gluu.info:9090/saml/SingleLogout/alias/defaultAlias"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                     Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="0"
                                     isDefault="true"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="1"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
                                     Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="2"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
                                     Location="http://ubuntu.gluu.info:9090/saml/HoKSSO/alias/defaultAlias"
                                     hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                     index="3"
                                     xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
                                     Location="http://ubuntu.gluu.info:9090/saml/HoKSSO/alias/defaultAlias"
                                     hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="4"
                                     xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

in gluu server I add new trust relationship and add SP metadata file to it.

but some thing strange happen here,In SP index page i select shibolleth idp,then login page of shibolleth idp appears,after enter username and password it redirect to my SP and then Exception happen, according to the exception,idp send me this certificate and want me to add this to my trust store :

-----BEGIN CERTIFICATE-----
MIIDaDCCAlACCQDTFXuxD0vSJTANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJUjELMAkGA1UE
CAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZMBcGA1UEAwwQdWJ1bnR1Lmds
dXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9ydEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTha
Fw0xNzA2MTcyMDMxMThaMHYxCzAJBgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVo
cmFuMQ0wCwYDVQQKDARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcN
AQkBFhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvt/V
JO3o7LCwmgUSJg1CyTfSwUL28d2FaMsiiSUZ5Qs6kPHKwJ22IltBpIaJBgFcqyNxOgve3z7agJtJ
dBmyWJRoz7yMbtXmHJdk+XRs4LqRCl0CFprlPtfg9Avyb8tBqWa+c3VBbbhJ0dKpWpvzVLoRm33J
u9+/TnlM6a5UUHGsQIynjndFJSFnittNfDLQglooKyjUuiv0OrN5E7qG9bGe+w+EytYrzfx+AI/t
9wGIjMKyY9MWO4/ai0Ei7tX5CHS1GxFg2xp6Q6705YjFxrfFTbB+5XIbUCLi62nzas51hYeVzWHZ
B2XODA8ClE+U31EtwvVHbNJP5DOoM9441QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBBYAvHpshQ
8SH7wrPKNhFpbdxJ49PYmMDlCtKyU10umiEYmCSg9m4vado9MLrqblQ5qUMX1YYiIQbR47RXtSdG
AAr16JcBbiktrGv+KeGuLp7K0Ye3WsUS/uSrCimvW+lilNqAHj0MvqjQuSKCgOrmpxT55C8e21/h
piFjQF7ReCAeD0DV5ZGiDZQP0wdjJvHAMVQbQGeIpizZnOmmozsCiUDpSN2gZgu59TPimTD7rcfi
WZdaOr9L3pevZFLOrCXweyS6eiD2pTV1hWnfX6Ck3c0pM+yuA7Ug3BSFoOCXigKiA1EO4aqnGHLG
dswo1zee5kgF8oJbyYjVcYhZgc5w
-----END CERTIFICATE-----

Thanks.

Answer 1

You SP-metadata has

       <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                 Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="0"
                                 isDefault="true"/>

hence artifact binding will be used.

--> The SP tries to connect to the Artifact Resolution service of the IdP (Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/ArtifactResolution").

As this has scheme 'https' a secure SOAP call has to be performed.

Either you configure a JSSE truststore for your deployment container running the app (JVM-option -Djavax.net.ssl.trustStore=PATH_TO_JKS_TRUSTORE) and add the provided cert to hat truststore or remove artifact binding from your SP's meta data and only use front-channel bindings (where all communication goes through the user-agent)