I am trying to use the Spring SAML sample application to connect to Idb Shibboleth, but ran into a signature verification problem that I could not solve.
When the sample application receives a response from IdP, an exception is thrown with the following:
Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138) at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107) at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105) at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)
With a magazine containing
- Creating XMLSignature object - Validating signature with signature algorithm URI: http:
therefore, it looks like the signature is being verified, but the key is not trusted. I canโt understand how to โestablishโ trust.
I installed an example application
Copying IdP metadata to a sample application and loading it by adding it to securityContext.xml
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> <constructor-arg> <list> <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider"> <constructor-arg> <bean class="java.util.Timer"/> </constructor-arg> <constructor-arg> <bean class="org.opensaml.util.resource.ClasspathResource"> <constructor-arg value="/metadata/twoss-metadata.xml"/> </bean> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> <property name="signingKey" value="shib-signing"/> <property name="trustedKeys" value="shib-signing"/> </bean> </constructor-arg> <property name="metadataTrustCheck" value="false"/> </bean> </list> </constructor-arg>
Configure SP metadata in this way
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> <constructor-arg> <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> <property name="entityId" value="urn:test:dan:vancouver"/> <property name="extendedMetadata"> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> <property name="signMetadata" value="false"/> <property name="idpDiscoveryEnabled" value="true"/> </bean> </property> </bean> </constructor-arg>
And finally, I added the signature certificate generated during the installation of Shibboleth to the keystore app sample
keytool -importcert -alias shib-signing -file idp-signing.crt -keystore samlKeystore.jks
So the question is, what do I need to do to establish trust?
Please note that the sample application and shibboleth are in the development environment and do not use CA certificates for signing or encryption.
source share