Error xmlsec cannot load key

When I try to activate SAML on my Indico, with the keys generated by the link Generate SAML Self-Signed X.509 Certificates - Create Self Signed Certs | SAMLTool.com.

The message “xmlsec.Error: (1, ‘cannot load key’)” appears, and the following log:

2025-05-29 16:12:30,484  ERROR    19945b5e42ef495d  -       indico.flask              (1, 'cannot load key')
Traceback (most recent call last):
  File "/opt/indico/.venv/lib/python3.12/site-packages/flask/app.py", line 917, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/flask/app.py", line 902, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/indico/web/flask/util.py", line 80, in wrapper
    return obj().process()
           ^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/indico/web/rh.py", line 312, in process
    res = self._do_process()
          ^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/indico/web/rh.py", line 280, in _do_process
    rv = self._process()
         ^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/webargs/core.py", line 657, in wrapper
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/indico/modules/auth/controllers.py", line 105, in _process
    return provider.initiate_external_login()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/providers/saml.py", line 91, in initiate_external_login
    return redirect(auth.login())
                    ^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/onelogin/saml2/auth.py", line 433, in login
    self.add_request_signature(parameters, security['signatureAlgorithm'])
  File "/opt/indico/.venv/lib/python3.12/site-packages/onelogin/saml2/auth.py", line 532, in add_request_signature
    return self._build_signature(request_data, 'SAMLRequest', sign_algorithm)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/onelogin/saml2/auth.py", line 622, in _build_signature
    signature = OneLogin_Saml2_Utils.sign_binary(msg, key, sign_algorithm_transform, self._settings.is_debug_active())
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/onelogin/saml2/utils.py", line 1006, in sign_binary
    dsig_ctx.key = xmlsec.Key.from_memory(key, xmlsec.KeyFormat.PEM, None)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
xmlsec.Error: (1, 'cannot load key')

How do I fix this problem?
Thanks in advance,

Clóvis

Considering that the error message has no details whatsoever, we can’t do anything but guessing…

Try removing the surrounding -----BEGIN PRIVATE KEY----- etc. markers from the key/cert, and put everything else in one line. At least that’s how my test setup worked fine…

Hello,

I did exactly that, and the same error persists.

I don’t know what could be happening.

If you share the full key and cert w/ me privately, I can try myself… otherwise I don’t see much I can do there.

Hello ThiefMaster,

I wanted to try, once again, to generate the certification keys. It may be something related to copy and paste.
I’ll try SAMTool again.
Thanks for your help so far,

Hello,

Solved.
I kept the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- markers, with a single line in the certificate.
Thanks for your help,