Geek Answers Handbook

Spring SAML Security - Failed to verify signature

I am using the SAML 2.0 Spring Web application sample to secure SAML 2.0 on Tomcat 7 and modified it to try to authenticate using the Ping Identity service. Webapp talks to this service and sends a statement back, but when trying to verify the signature does not work, as shown below:

- Attempting to verify signature and establish trust using KeyInfo-derived credentials - Signature contained no KeyInfo element, could not resolve verification credentials - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials - Attempting to verify signature using trusted credentials - Failed to verify signature using either KeyInfo-derived or directly trusted credentials - Validation of received assertion failed, assertion will be skipped org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid

I understand that he was unable to verify the signature, and they gave me a certificate from Ping Identity administrators, but I'm not sure how to include it in the application. I tried adding it to the JKS (key repository) that comes with the sample application using the JTK keytool program, but can't seem to find it there. I also tried adding it to the service provider's metadata XML file as follows:

 <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> [Certificate is here...] </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor>

However, it still returns the same error.

Is there a specific place where I have to put the certificate in order to verify the signature? I'm relatively new to SAML security and applications in general, so I apologize if I use the wrong terminology.

+7
source share
1 answer

It finally worked. It turns out that I missed the configuration line in the security context file and that (it looks like the service provider metadata XML file does not require an X509 definition definition.

Basically, I already imported the public key that was provided to me into the existing JKS (using keytool ), but I did not say that the application specifically uses it. To do this, I had to go to the security context file (in my case "securityContext.xml") and add the following line to the ExtendedMetadata bean definition for the XML SP metadata file:

 <property name="signingKey" value="[alias of the provided key in the JKS goes here]"/>

Therefore, after this modification, the definition of the ExtendedMetadataDelegate bean was as follows:

 <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> <constructor-arg> <value type="java.io.File">classpath:security/[Path to SP metadata xml file].xml</value> </constructor-arg> <property name="parserPool" ref="parserPool" /> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> <property name="alias" value="[SP alias goes here]" /> <property name="signingKey" value="[alias of the provided key in the JKS goes here]"/> </bean> </constructor-arg> </bean>

Hope this helps anyone who might be in a similar situation.

+8
source

More articles:


All Articles