Reputation: 3305
Spring Security SAML IdP Metadata Certificate and Signature
I have looked at many questions including https://stackoverflow.com/a/25384924/1317559. I have the IdP metadata and certificate, but can't seem to get Spring so see it.
- Added the certificate to the keystore: keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file certificate.crt
- In the metadata there are multiple certificates (2 different ones) and a SignatureValue.
- I tried to add the signature value with the same keytool command, but it is not a certificate.
- I tried to add the 2 certificates found in the metadata also.
I enabled debugging log and this is what I get:
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Supplied trusted names are null or empty, skipping name evaluation
- Attempting PKIX path validation on untrusted credential: [subjectName='O=novell,OU=accessManager,CN=test-signing']
- PKIX path construction failed for untrusted credential: [subjectName='O=novell,OU=accessManager,CN=test-signing']: unable to find valid certification path to requested target
- Signature trust could not be established via PKIX validation of signing credential
- Failed to establish trust of KeyInfo-derived credential
- Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
- PKIX validation of signature failed, unable to resolve valid and trusted signing key
- Signature trust establishment failed for metadata entry http://idp.ppd.com/nidp/saml2/metadata
- Error filtering metadata from http://idp.ppd.com/nidp/saml2/metadata org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:312)
Upvotes: 2
Views: 12983
Answers (3)
Reputation: 1149
Also worth noting: Don't change the signed file - happened to me when I reformatted the ADFS generated one-liner. Obviously changes the file's signature.
Upvotes: 1
Reputation: 3305
This problem was fixed. There were many problems in fact. I am using the Spring SAML sample application:
- Need to add the public certificate (the first one after the signature, in the idp metadata) to the samlKeystore.jks under Other sources, security.
- The password is nalle123 .
- Don't put anything in the securityContext.xml file.
Upvotes: 0
Reputation: 15533
The Spring SAML manual describes metadata trust verification in chapter 7.2.4. One option is to disable the trust check, or manually remove the signature XML from metadata. Just like you found out, the certificate to import to samlKeystore.jks is the one used to produce the metadata signature, not the signing/encryption certificates for specific SP or IDP entities.
Upvotes: 5
Related Questions
- How to have a SAML request/response signed using Spring Security SAML extension
- Spring SAML2 IdP certificate update
- Signature trust establishment failed for SAML metadata entry
- Spring SAML SSO - IDP Metadata does not contain SingleSignOnService
- Use of IDP Certificate
- SAML Spring Sample: Signature did not validate against the credential's key
- Spring Security SAML - Signature and Decryption
- How to configuration of IDP metadata and SP metadata in Spring Security SAML sample?
- How to add new idp metadata in spring-SAML at runtime
- SP metadata signing