I downloaded the Sprind SAML sample app and its working fine in my local tomcat (against SSOCircle). Then I added a new SP to point to ADFS in our company. I was having several issues and solved them one by one. Now I am able to send the request and getting a valid saml response and assertion token as well. However i get the following error message: I did follow some old threads (thanks to Vladimír Schäfer) and imported the public key to samlKeystore.jks and still getting the same error. Any help is appreciated. ERROR DETAILS: Canonicalized SignedInfo: QCZQsG03PFbYdFMyX2UaO2rXSXA= verify 1 References I am not requested to follow nested Manifests setElement("ds:Reference", "") setElement("ds:Transforms", "") Request for URI .w3.org/2000/09/xmldsig#sha1 I was asked to create a ResourceResolver and got 0 check resolvability by class org.apache.xml.security.utils.resolver.ResourceResolver State I can resolve reference: "#_28691d8f-b0ab-4c19-ad32-4c60fada6e90" Try to catch an Element with ID _28691d8f-b0ab-4c19-ad32-4c60fada6e90 and Element was [Assertion: null] setElement("ds:Transform", "") Perform the (0)th .w3.org/2000/09/xmldsig#enveloped-signature transform setElement("ds:Transform", "") Pre-digested input: http://adfs.mycompany.com/adfs/services/trust robertRYYGWLoginrobertRurn:federation:authentication:windows Verification successful for URI "#_28691d8f-b0ab-4c19-ad32-4c60fada6e90" The Reference has Type Signature validated with key from supplied credential Signature validation using candidate credential was successful Successfully verified signature using KeyInfo-derived credential Attempting to establish trust of KeyInfo-derived credential Failed to validate untrusted credential against trusted key Failed to validate untrusted credential against trusted key Failed to validate untrusted credential against trusted key Failed to establish trust of KeyInfo-derived credential Failed to verify signature and/or establish trust using any KeyInfo-derived credentials Attempting to verify signature using trusted credentials Attempting to validate signature using key from supplied credential Creating XMLSignature object Validating signature with signature algorithm URI: .w3.org/2000/09/xmldsig#rsa-sha1 Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' signatureMethodURI = .w3.org/2000/09/xmldsig#rsa-sha1 jceSigAlgorithm = SHA1withRSA jceSigProvider = SunRsaSign PublicKey = Sun RSA public key, 2048 bits modulus: 23431177975394 public exponent: 65537 Canonicalized SignedInfo: QCZQsG03PFbYdFMyX2UaO2rXSXA= Signature verification failed. Signature did not validate against the credential's key Signature validation using candidate validation credential failed org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:110) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49) at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:267) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:292) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:724) Attempting to validate signature using key from supplied credential Creating XMLSignature object Validating signature with signature algorithm URI: .w3.org/2000/09/xmldsig#rsa-sha1 Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' signatureMethodURI = .w3.org/2000/09/xmldsig#rsa-sha1 jceSigAlgorithm = SHA1withRSA jceSigProvider = SunRsaSign PublicKey = Sun RSA public key, 2048 bits modulus: 2179836566179054962 public exponent: 65537 Canonicalized SignedInfo: QCZQsG03PFbYdFMyX2UaO2rXSXA= Signature verification failed. Signature did not validate against the credential's key Signature validation using candidate validation credential failed org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:110) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)

Reputation: 1

Spring SAML exception with Tomcat/ADFS integration

I downloaded the Sprind SAML sample app and its working fine in my local tomcat (against SSOCircle). Then I added a new SP to point to ADFS in our company. I was having several issues and solved them one by one. Now I am able to send the request and getting a valid saml response and assertion token as well. However i get the following error message:

I did follow some old threads (thanks to Vladimír Schäfer) and imported the public key to samlKeystore.jks and still getting the same error. Any help is appreciated.

ERROR DETAILS:

Canonicalized SignedInfo:
QCZQsG03PFbYdFMyX2UaO2rXSXA=
verify 1 References
I am not requested to follow nested Manifests
setElement("ds:Reference", "")
setElement("ds:Transforms", "")
Request for URI .w3.org/2000/09/xmldsig#sha1
I was asked to create a ResourceResolver and got 0
check resolvability by class org.apache.xml.security.utils.resolver.ResourceResolver
State I can resolve reference: "#_28691d8f-b0ab-4c19-ad32-4c60fada6e90"
Try to catch an Element with ID _28691d8f-b0ab-4c19-ad32-4c60fada6e90 and Element was [Assertion: null]
setElement("ds:Transform", "")
Perform the (0)th .w3.org/2000/09/xmldsig#enveloped-signature transform
setElement("ds:Transform", "")
Pre-digested input:
http://adfs.mycompany.com/adfs/services/trustrobertRYYGWLoginrobertRurn:federation:authentication:windows
Verification successful for URI "#_28691d8f-b0ab-4c19-ad32-4c60fada6e90"
The Reference has Type
Signature validated with key from supplied credential
Signature validation using candidate credential was successful
Successfully verified signature using KeyInfo-derived credential
Attempting to establish trust of KeyInfo-derived credential
Failed to validate untrusted credential against trusted key
Failed to validate untrusted credential against trusted key
Failed to validate untrusted credential against trusted key
Failed to establish trust of KeyInfo-derived credential
Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
Attempting to verify signature using trusted credentials
Attempting to validate signature using key from supplied credential
Creating XMLSignature object
Validating signature with signature algorithm URI: .w3.org/2000/09/xmldsig#rsa-sha1
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
signatureMethodURI = .w3.org/2000/09/xmldsig#rsa-sha1
jceSigAlgorithm = SHA1withRSA
jceSigProvider = SunRsaSign
PublicKey = Sun RSA public key, 2048 bits modulus: 23431177975394 public exponent: 65537
Canonicalized SignedInfo:
QCZQsG03PFbYdFMyX2UaO2rXSXA=
Signature verification failed.
Signature did not validate against the credential's key
Signature validation using candidate validation credential failed org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:110) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49) at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:267) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:292) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:724)
Attempting to validate signature using key from supplied credential
Creating XMLSignature object
Validating signature with signature algorithm URI: .w3.org/2000/09/xmldsig#rsa-sha1
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
signatureMethodURI = .w3.org/2000/09/xmldsig#rsa-sha1
jceSigAlgorithm = SHA1withRSA
jceSigProvider = SunRsaSign
PublicKey = Sun RSA public key, 2048 bits modulus: 2179836566179054962 public exponent: 65537
Canonicalized SignedInfo:
QCZQsG03PFbYdFMyX2UaO2rXSXA=
Signature verification failed.
Signature did not validate against the credential's key
Signature validation using candidate validation credential failed org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:110) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)

Upvotes: 0

Answers (2)

Roshan

Reputation: 77

Signature verification failed. Signature did not validate against the credential's key Signature validation using candidate validation credential failed org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at

This error occurs when you are trying to validate saml response or assertion with different publicKey and it signed with different public-private key pair. First verify saml response signature x509 certificate and yours idp public certificate it will not be same.

Upvotes: 1

meetarun

Reputation: 569

below might help you, please verify your idp.xml has same public as your IDP/IDP Realm . Make sure IDP and Application in same timeZone/Time.

Upvotes: 0

Spring SAML exception with Tomcat/ADFS integration

Answers (2)

Related Questions