Недавно меня попросили внедрить протокол SAML в существующий проект
Мой опыт работы с этим протоколом равен 0, поэтому после нескольких часов исследований я задаю этот вопрос здесь, чтобы узнать, сможет ли кто-нибудь мне помочь .
IdP поставщика удостоверений (первое изображение) и SP поставщика услуг (второе изображение): 
[То, что я до сих пор пробовал] Я решил попробовать SAML Java Инструментарий OneLogin , я пытаюсь запустить пример проекта
А вот onelogin.saml.properties , я заполнил файл свойств на основе xml информации из рисунков:
# If 'strict' is True, then the Java Toolkit will reject unsigned
# or unencrypted messages if it expects them signed or encrypted
# Also will reject the messages if not strictly follow the SAML
onelogin.saml2.strict = false
# Enable debug mode (to print errors)
onelogin.saml2.debug = true
# Service Provider Data that we are deploying
#
# Identifier of the SP entity (must be a URI)
#onelogin.saml2.sp.entityid = http://localhost:8080/java-saml-tookit-jspsample/metadata.jsp
onelogin.saml2.sp.entityid = https://APP.seat.vwg
# Specifies info about where and how the <AuthnResponse> message MUST be
# returned to the requester, in this case our SP.
# URL Location where the <Response> from the IdP will be returned
#onelogin.saml2.sp.assertion_consumer_service.url = http://localhost:8080/java-saml-tookit-jspsample/acs.jsp
onelogin.saml2.sp.assertion_consumer_service.url = https://app.seat.vwg
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-POST binding only
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
# Specifies info about where and how the <Logout Response> message MUST be
# returned to the requester, in this case our SP.
#onelogin.saml2.sp.single_logout_service.url = http://localhost:8080/java-saml-tookit-jspsample/sls.jsp
onelogin.saml2.sp.single_logout_service.url = https://app.seat.vwg
# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Specifies constraints on the name identifier to be used to
# represent the requested subject.
# Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
# Usually x509cert and privateKey of the SP are provided by files placed at
# the certs folder. But we can also provide them with the following parameters
onelogin.saml2.sp.x509cert = MIIHfTCCBWWgAwIBAgIUZjZNYuKAdK9UTGVUrZUWCiGoUlQwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAhBgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEczMB4XDTE4MDkxMjEwMDY1MVoXDTIwMDkxMjEwMTYwMFowfTELMAkGA1UEBhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEjAQBgNVBAcMCVdvbGZzYnVyZzEWMBQGA1UECgwNVm9sa3N3YWdlbiBBRzEMMAoGA1UECwwDRlNBMRwwGgYDVQQDDBNhbS5zZWF0LnZ3Z3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn75gwMRZb95CF9CattUUjy1PiRWug/qw8JgIXIRwkRnBhkXYRCACqurqejOmBFrRvCAAqmgFlHeitQT3rt4ZZe7CvRzKDK4f1/Gga7STcGArgcMNgk+uliUN62ciS3iAGhGwOKOiIu2dy3jKDJV9i3GFRmTH5eymNonaIFJct6d1t/7DHQv7HICtnJ79SS8+q6dOg0Hg/tQanXQqGbkRQARQz3V25OshDWzBlpHE3aRHK/R07VDYK94hv4WrAHVtzPbKCQ08OPzyJ0ZILYYug4Yh+iMgTGeMxyyF2IfSkiTFihXOw1JS7Kcu6TnfxZLWuEg3Q3mT48olMegiGtre3wIDAQABo4IDIzCCAx8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSzEom1qUs1vBUA8IDp2HiH8RN8djBzBggrBgEFBQcBAQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMy5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTAeBgNVHREEFzAVghNhbS5zZWF0LnZ3Z3JvdXAuY29tMFEGA1UdIARKMEgwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2c3NsZzMuY3JsMB0GA1UdDgQWBBSKJzxfUrEK9KUNhpSzyZywsyzr6zAOBgNVHQ8BAf8EBAMCBaAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB3AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABZc1H/woAAAQDAEgwRgIhAJTgY89lKcM/IbeHPLQGcKPu+Y3jhpQD6TXR65lwaeb3AiEA2cOlc3QNjqNibcnWmi/Dp1DFb7mF+gdNfWofJK8QB+kAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWXNR/7KAAAEAwBGMEQCIHL9/RrGtAbQTi6junapzHZXhV/Z9dCmJJf/QOTmMgtDAiA8U6fPZnCmkiDmmO73i+GuOAEee6pFak0K7l/PXyBbtQB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABZc1H/tAAAAQDAEYwRAIgE9l3X93KXJ1UYaQZzqhhV6CTw4cF4cMGmwIn4RAEHVACIG2JtJKF4oVb4mWgltMS+reECZy8HKkMG3HOGjzDMjusMA0GCSqGSIb3DQEBCwUAA4ICAQCImbF0UdTRn7PLoL7ETylybmXUKuVgCjwB8dL+Jn29ibo8Bn3rXo3zhJict6HDWTSz2wqBWbh99yliD/ejwG0LZ88fjLUona2ept9STtKSKJcsRpQf0Ie749wLOxtiGQ6KyKdNIz8ggK/xAz92h7HuJKrfAqkHxXW2HsSDAO0OXpedD7vvzRDFuOQVq0kSLFpYTLklY15KPeDzjhWSYkxR4tQ9MMjX2yvVgzR5BghXUmdVuDZuqlO44Y9FwsIH3PmX7d/4mdpAEIks/mZswulaoD4FsN6TNXtEvrFwGBfxW7ACcYgYwKzzCRcXqwDIfmeX8oslPf5NgMP0n4QTzVy8hJtO1ojBHeFfB/qpISDIli9TczSOcHgjkDq5GVzTFjLNSremBxaQ6hlI/h6gLQzZlqucYFtzja07VFsDeAZ5nGY6fR1gof6D7i08IE9JKUKsDI6sgqZLBhtDqhQaXfXy0s0hqvxd4pBGC17/13FxClCCoMGLA1ccftpC0ZlR+0QU9cQAk1KtFUDsMI8bcPF6FXczi+brC223VTPh2+j1FMSjiovMpVDzO/GNyYKNDONwgakKJEWuo3BQG9Pfs6nSOC0oD8NgrqU8ymj3P+Gaqm1Ei8rQt3AO6TeReRgiOZpKpTugfad5kyLd44yOu2SGQ7s1i0ZbtcwVBuGz3efSyA==
# Requires Format PKCS#8 BEGIN PRIVATE KEY
# If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
onelogin.saml2.sp.privatekey =
# Identity Provider Data that we want connect with our SP
#
# Identifier of the IdP entity (must be a URI)
onelogin.saml2.idp.entityid = https://am.seat.vwgroup.com/ampki/sps/saml20idppki/saml20
# SSO endpoint info of the IdP. (Authentication Request protocol)
# URL Target of the IdP where the SP will send the Authentication Request Message
onelogin.saml2.idp.single_sign_on_service.url = https://am.seat.vwgroup.com/ampki/sps/saml20idppki/saml20/login
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# SLO endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Request
onelogin.saml2.idp.single_logout_service.url = https://am.seat.vwgroup.com/ampki/sps/saml20idppki/saml20/slo
# Optional SLO Response endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
# Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
onelogin.saml2.idp.single_logout_service.response.url =
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Public x509 certificate of the IdP
onelogin.saml2.idp.x509cert = MIIHfTCCBWWgAwIBAgIUZjZNYuKAdK9UTGVUrZUWCiGoUlQwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAhBgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEczMB4XDTE4MDkxMjEwMDY1MVoXDTIwMDkxMjEwMTYwMFowfTELMAkGA1UEBhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEjAQBgNVBAcMCVdvbGZzYnVyZzEWMBQGA1UECgwNVm9sa3N3YWdlbiBBRzEMMAoGA1UECwwDRlNBMRwwGgYDVQQDDBNhbS5zZWF0LnZ3Z3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn75gwMRZb95CF9CattUUjy1PiRWug/qw8JgIXIRwkRnBhkXYRCACqurqejOmBFrRvCAAqmgFlHeitQT3rt4ZZe7CvRzKDK4f1/Gga7STcGArgcMNgk+uliUN62ciS3iAGhGwOKOiIu2dy3jKDJV9i3GFRmTH5eymNonaIFJct6d1t/7DHQv7HICtnJ79SS8+q6dOg0Hg/tQanXQqGbkRQARQz3V25OshDWzBlpHE3aRHK/R07VDYK94hv4WrAHVtzPbKCQ08OPzyJ0ZILYYug4Yh+iMgTGeMxyyF2IfSkiTFihXOw1JS7Kcu6TnfxZLWuEg3Q3mT48olMegiGtre3wIDAQABo4IDIzCCAx8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSzEom1qUs1vBUA8IDp2HiH8RN8djBzBggrBgEFBQcBAQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMy5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTAeBgNVHREEFzAVghNhbS5zZWF0LnZ3Z3JvdXAuY29tMFEGA1UdIARKMEgwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2c3NsZzMuY3JsMB0GA1UdDgQWBBSKJzxfUrEK9KUNhpSzyZywsyzr6zAOBgNVHQ8BAf8EBAMCBaAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB3AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABZc1H/woAAAQDAEgwRgIhAJTgY89lKcM/IbeHPLQGcKPu+Y3jhpQD6TXR65lwaeb3AiEA2cOlc3QNjqNibcnWmi/Dp1DFb7mF+gdNfWofJK8QB+kAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWXNR/7KAAAEAwBGMEQCIHL9/RrGtAbQTi6junapzHZXhV/Z9dCmJJf/QOTmMgtDAiA8U6fPZnCmkiDmmO73i+GuOAEee6pFak0K7l/PXyBbtQB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABZc1H/tAAAAQDAEYwRAIgE9l3X93KXJ1UYaQZzqhhV6CTw4cF4cMGmwIn4RAEHVACIG2JtJKF4oVb4mWgltMS+reECZy8HKkMG3HOGjzDMjusMA0GCSqGSIb3DQEBCwUAA4ICAQCImbF0UdTRn7PLoL7ETylybmXUKuVgCjwB8dL+Jn29ibo8Bn3rXo3zhJict6HDWTSz2wqBWbh99yliD/ejwG0LZ88fjLUona2ept9STtKSKJcsRpQf0Ie749wLOxtiGQ6KyKdNIz8ggK/xAz92h7HuJKrfAqkHxXW2HsSDAO0OXpedD7vvzRDFuOQVq0kSLFpYTLklY15KPeDzjhWSYkxR4tQ9MMjX2yvVgzR5BghXUmdVuDZuqlO44Y9FwsIH3PmX7d/4mdpAEIks/mZswulaoD4FsN6TNXtEvrFwGBfxW7ACcYgYwKzzCRcXqwDIfmeX8oslPf5NgMP0n4QTzVy8hJtO1ojBHeFfB/qpISDIli9TczSOcHgjkDq5GVzTFjLNSremBxaQ6hlI/h6gLQzZlqucYFtzja07VFsDeAZ5nGY6fR1gof6D7i08IE9JKUKsDI6sgqZLBhtDqhQaXfXy0s0hqvxd4pBGC17/13FxClCCoMGLA1ccftpC0ZlR+0QU9cQAk1KtFUDsMI8bcPF6FXczi+brC223VTPh2+j1FMSjiovMpVDzO/GNyYKNDONwgakKJEWuo3BQG9Pfs6nSOC0oD8NgrqU8ymj3P+Gaqm1Ei8rQt3AO6TeReRgiOZpKpTugfad5kyLd44yOu2SGQ7s1i0ZbtcwVBuGz3efSyA==
# Instead of use the whole x509cert you can use a fingerprint
# (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
# or add for example the -sha256 , -sha384 or -sha512 parameter)
#
# If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
# 'sha1' is the default value.
# onelogin.saml2.idp.certfingerprint =
# onelogin.saml2.idp.certfingerprint_algorithm = sha1
# Security settings
#
# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
# will be encrypted.
onelogin.saml2.security.nameid_encrypted = false
# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
# will be signed. [The Metadata of the SP will offer this info]
onelogin.saml2.security.authnrequest_signed = false
# Indicates whether the <samlp:logoutRequest> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutrequest_signed = false
# Indicates whether the <samlp:logoutResponse> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutresponse_signed = false
# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
# <samlp:LogoutResponse> elements received by this SP to be signed.
onelogin.saml2.security.want_messages_signed = false
# Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed.
onelogin.saml2.security.want_assertions_signed = true
# Indicates a requirement for the Metadata of this SP to be signed.
# Right now supported null (in order to not sign) or true (sign using SP private key)
onelogin.saml2.security.sign_metadata = true
# Indicates a requirement for the Assertions received by this SP to be encrypted
onelogin.saml2.security.want_assertions_encrypted = false
# Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid_encrypted = false
# Authentication context.
# Set Empty and no AuthContext will be sent in the AuthNRequest
# You can set multiple values (comma separated them)
onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
# Allows the authn comparison parameter to be set, defaults to 'exact'
onelogin.saml2.security.onelogin.saml2.security.requested_authncontextcomparison = exact
# Indicates if the SP will validate all received xmls.
# (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
onelogin.saml2.security.want_xml_validation = true
# Algorithm that the toolkit will use on signing process. Options:
# 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
# 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1
# Organization
onelogin.saml2.organization.name = APP
onelogin.saml2.organization.displayname = Seat APP
onelogin.saml2.organization.url = https://app.seat.vwg
onelogin.saml2.organization.lang = en-US
# Contacts
onelogin.saml2.contacts.technical.given_name = Soporte
onelogin.saml2.contacts.technical.email_address = soporte@domain.com
onelogin.saml2.contacts.support.given_name = Soporte 2
onelogin.saml2.contacts.support.email_address = soporte2@domain.com
Когда я пытаюсь запустить на сервере образец веб-приложения, я Получение ошибки FBTSML224E от IBM Tivoli: 
Объяснение Не найдена необходимая конфигурация для поставщика партнера. Действия системы Операция будет остановлена. Ответ администратора Убедитесь, что метаданные поставщика партнера были импортированы в эту федерацию и что файл конфигурации не поврежден.
Я застрял на этом этапе, может кто-нибудь помочь мне?