Reputation: 4026
Hi i got this errormessage:
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Signature was null
On validating a SAML response from Azure AD.
For test purpose i saved a response file as xml and found a tag:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_97031c65-0139-4047-a416-9495df5d6ed7">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
KMaFHRt8inqVYsMGKnAryKUTQUbYGPUDPxdvj6T08OQ=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
.....
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
....
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
i unmarshall the XML response:
InitializationService.initialize();
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
String content = new String(Files.readAllBytes(Paths.get("saml_response_azure.xml")));
Document document = docBuilder.parse(new ByteArrayInputStream(content.trim().getBytes()));
Element element = document.getDocumentElement();
Unmarshaller unmarshaller = XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(element);
Response response = (Response) unmarshaller.unmarshall(element);
And error is dropped at:
Signature signature = response.getAssertions().get(0).getSignature() // returns null
SAMLSignatureProfileValidator profValidator = new SAMLSignatureProfileValidator();
profValidator.validate(signature);
Upvotes: 2
Views: 2297
Reputation: 5595
Ok, I think I found it, it looks like you did not add any implementation dependencies to you POM. When I use your POM and include this dependency, I get the signature object.
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-impl</artifactId>
<version>3.2.0</version>
</dependency>
The modular structure of the dependencies is a big difference from version 2 of OpenSAML.
Upvotes: 2