org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

0
votes

I am getting the below exception while I am trying to run my server after configuring my IDP in securityContext.xml.

Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

I saw there is a workaround in http://forum.spring.io/forum/spring-projects/security/saml/108450-getting-error-signature-trust-establishment-failed-for-metadata-entry link where it says, by setting property metadataTrustCheck to false on the ExtendedMetadataDelegate bean which includes your IDP metadata.

But I don't want to update the saml2 core api, instead, is possible to set metadataTrustCheck in the securityContext.xml. If so, how to set it up. I tried as given below. But still getting the same error.

<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/MyMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>

My MetadataManager is defined as follows:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                <!-- URL containing the metadata -->
                <constructor-arg>
                    <value type="java.lang.String">https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
                </constructor-arg>
                <!-- Timeout for metadata loading in ms -->
                <constructor-arg>
                    <value type="int">5000</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                <!-- URL containing the metadata -->
                <constructor-arg>
                    <value type="java.lang.String">https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
                </constructor-arg>
                <!-- Timeout for metadata loading in ms -->
                <constructor-arg>
                    <value type="int">5000</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

Please help on this. Thanks.

2
spring-securityadfs2.0spring-saml
Can you post your complete CachingMetadataManager bean?Vladimír Schäfer
Hey Vladimir, Nice to hear from you. I am using, spring-security-saml2-core:1.0.1.BUILD-SNAPSHOT.jar. I have not changed any of the exiting core API code.Kannan
Initially I used your saml2-core source and modified the metadataTrustCheck to false in the ExtendedMetadataDelegate.java file and built the jar file. It worked well. Now I am trying to use the SNAPSHOT where the above mentioned change wont be there. Instead I can override the metadataTrustCheck value in securityContext.xml by using <property name="metadataTrustCheck" value="false"/>. correct me if I am wrong.Kannan
I was asking about the CachingMetadataManaer bean configuration, not sources - I want to see how your Spring configuration looks like. The metadtaTrustCheck should work just fine, I suspect you set it on wrong metadata provider. Setting metadataTrustCheck to false is the correct approach.Vladimír Schäfer
In this comment line, i am not able to add the bean. is there any other way to share it.Kannan

2 Answers

2
votes

Only some of your MetadataProviders were wrapped in the ExtendedMetadataDelegate. You must set the metadataTrustCheck flag to false on each MetadataProvider which should be skipping the trust check, not just on some of them. Define the metadata provider as follows and your problem should be gone:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                        <!-- URL containing the metadata -->
                        <constructor-arg>
                            <value type="java.lang.String">
                                https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml
                            </value>
                        </constructor-arg>
                        <!-- Timeout for metadata loading in ms -->
                        <constructor-arg>
                            <value type="int">5000</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                        <!-- URL containing the metadata -->
                        <constructor-arg>
                            <value type="java.lang.String">
                                https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml
                            </value>
                        </constructor-arg>
                        <!-- Timeout for metadata loading in ms -->
                        <constructor-arg>
                            <value type="int">5000</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
        </list>
    </constructor-arg>
</bean>
2
votes

In the Java Config version, I had to manually call the initialize method against the metadataProvider object after I set the trust check flag to false.

@SamlBeanAnnotation
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException, ResourceException {
    List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
    for (String file: getSamlProviders()) {
        ResourceBackedMetadataProvider metadataProvider = new ResourceBackedMetadataProvider(new Timer(),
                new org.opensaml.util.resource.ClasspathResource("/" + file.trim()));
        metadataProvider.setParserPool(parserPool());

        ExtendedMetadataDelegate extendedMetadataDelegate =
            new ExtendedMetadataDelegate(metadataProvider, new ExtendedMetadata());
        extendedMetadataDelegate.setMetadataTrustCheck(false);
        extendedMetadataDelegate.setMetadataRequireSignature(false);
        metadataProvider.initialize();
        providers.add(metadataProvider);
    }

    CachingMetadataManager cachingMetadataManager= new CachingMetadataManager(providers);
    return cachingMetadataManager;
}