When to use CEM as the SAML SSO Identity Provider (IDP),  following failure is reported in Splunk logs after renewing SAML certificate since CEM 24.4.0

"Exception occurred while reading the keyStore java.io.IOException: exception unwrapping private key - java.security.InvalidKeyException: pad block corrupted"

As the workaround, to use Netscaler as the IDP instead of CEM. The final fix will be delivered in next CEM build.

Problem Cause

SAML certificate renewal is broken in CEM 24.4.0