Reputation: 2625
Spring SAML Sample: SSOCircle SHA256 not supported
I am trying the Spring SAML Sample project with SSOCircle and default keystore. After importing the SP metadata into SSOCircle, the SSO worked correctly.
Now, I wanted to change the encryption algorithm from SHA-1 to RSA SHA-256. So I extended the SAMLBootstrap class as shown here:
public final class CustomSAMLBootstrap extends SAMLBootstrap {
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
super.postProcessBeanFactory(beanFactory);
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
Also here is the extended metadata configuration
<!-- Extended metadata properties -->
<bean id="extendedMetadataSP" class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="signMetadata" value="true" />
<property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<property name="idpDiscoveryEnabled" value="true"/>
<property name="idpDiscoveryURL" value="${entityBaseURL}/saml/discovery"/>
<property name="idpDiscoveryResponseURL" value="${entityBaseURL}/saml/login?disco=true"/>
</bean>
So I regenerated the metadata via the org.springframework.security.saml.metadata.MetadataGenerator bean and tried to re-upload the newly generated SP xml. Although SSOCircle will fail with 007 error code.
At this point I am not sure if there is an additional step to complete for me in order to use sha256 on SSOCircle?
Can someone please help?
EDIT:
The problem I am having when uploading the metadata to SSOCircle I believe it has to do with the EntityDescriptor section where the signature algorith is specified as SHA256 as below:
<?xml version="1.0"?>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#urn_com_apakgroup_bristol">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>mAT5iN6IWyTCQiPplFmOq4vu8SUzCBfpAC4XBOu2+eM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>i6hH............bA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDZTCCA............eVdvh</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
Changed signMetadata to false, unfortunately it does not make a difference.
<property name="signMetadata" value="false" />
SAML RESPONSE:
2016-09-13 15:03:06,786 DEBUG org.opensaml.xml.security.SigningUtil:115 - Computing signature over input using private key of type RSA and JCA algorithm ID SHA256withRSA
2016-09-13 15:03:06,802 DEBUG org.opensaml.xml.security.SigningUtil:123 - Computed signature: 8b4...dfa9
2016-09-13 15:03:06,802 DEBUG opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder:251 - Generated digital signature value (base64-encoded) i0...==
2016-09-13 15:03:06,803 DEBUG PROTOCOL_MESSAGE:74 -
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080/saml/SSO" Destination="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/publicidp" ForceAuthn="false" ID="ac8eeg2j9d932hh4fe90fa71844e00" IsPassive="false" IssueInstant="2016-09-13T14:03:06.775Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">...[my-sp]...</saml2:Issuer>
</saml2p:AuthnRequest>
2016-09-13 15:03:06,803 DEBUG opensaml.ws.message.encoder.BaseMessageEncoder:56 - Successfully encoded message.
2016-09-13 15:03:06,804 DEBUG springframework.security.saml.storage.HttpSessionStorage:93 - Storing message ac8eeg2j9d932hh4fe90fa71844e00 to session C17D8A94DED2F79BDD92CBF7A99462C6
2016-09-13 15:03:06,805 INFO springframework.security.saml.log.SAMLDefaultLogger:127 - AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;...[my-sp]...;https://idp.ssocircle.com;;;
Upvotes: 0
Views: 1230
Answers (1)
Reputation: 457
The reason for error7 is that the signature of the meta data cannot be validated. This is described at the : how-to section "Signed metadata might cause validation problems. We recommend removal of the signature as the fastest workaround."
You have meta data signature enabled:
<property name="signMetadata" value="true" />
turn it to "false".
Upvotes: 0
Related Questions
- Spring Security SAML - Failed to verify signature
- Spring SAML handshake failure - Failed to validate untrusted credential against trusted key
- Single Sign On(SSO) using SAML with Spring Security
- SAML based SSO using Spring Security with JAVA 11 failed with error java.security.KeyStoreException: Uninitialized keystore
- SSOCircle Error 0007 when registering a Service Provider
- Configure Spring Security SAML to use SHA-256 as secure hash algorithm
- Spring saml SSO
- SAML Spring Sample: Signature did not validate against the credential's key
- SSL configuration issue with Spring-SAML
- What is the reason for below error while implementing SAML SSO