problems spring security saml with vmware identity appliance

1
votes

I am using the spring-boot-security-saml-sample and attempting to hook it up to an application that uses the vmware identity appliance for SSO.

I can run the vanilla sample application just fine but when I change the IDP Metadata to point at the vmware identity server I am running into some issues.

My app uses a local keystore which contains a private key and I have imported the certs from the IDP metadata into it manually. When the application redirects I am seeing an error on the vmware identity server side:

java.lang.NullPointerException
com.vmware.identity.samlservice.impl.SamlServiceImpl.verifySignature(SamlServiceImpl.java:124)
com.vmware.identity.samlservice.AuthnRequestState.parseRequestForTenant(AuthnRequestState.java:341)
com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:63)
com.vmware.identity.SsoController.sso(SsoController.java:68)
sun.reflect.GeneratedMethodAccessor113.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:606)
org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:938)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:870)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:961)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)
javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
javax.servlet.http.HttpServlet.service(HttpServlet.java:722)

My assumption is that I am doing something wrong in that the identity server is erroring out when trying to verifySignature(). I do not see any errors in my app.

Here is my idp metadata:

    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:vmes="http://vmware.com/schemas/attr-names/2012/04/Extensions" entityID="https://hostname:7444/websso/SAML2/Metadata/vsphere.local">
 <Extensions>
      <vmes:ExportedOn>2015-02-26T02:52:39Z</vmes:ExportedOn>
      <vmes:ExportedBy>Exported by VMware Identity Server (c) 2012</vmes:ExportedBy>
 </Extensions>
 <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
           <ds:KeyInfo>
                <ds:X509Data>
                     <ds:X509Certificate>...</ds:X509Certificate>
                     <ds:X509Certificate>...</ds:X509Certificate>
                </ds:X509Data>
           </ds:KeyInfo>
      </KeyDescriptor>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SAML2/SLO/vsphere.local"/>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hostname:7444/websso/SAML2/SLO/vsphere.local"/>
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
      <NameIDFormat>http://schemas.xmlsoap.org/claims/UPN</NameIDFormat>
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SAML2/SSO/vsphere.local"/>
      <saml:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <saml:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <saml:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <saml:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <saml:Attribute FriendlyName="userPrincipalName" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <saml:Attribute FriendlyName="email" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
 </IDPSSODescriptor>
 <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
           <ds:KeyInfo>
                <ds:X509Data>
                     <ds:X509Certificate>...</ds:X509Certificate>
                     <ds:X509Certificate>...</ds:X509Certificate>
                </ds:X509Data>
           </ds:KeyInfo>
      </KeyDescriptor>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SsoClient/SLO/vsphere.local"/>
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
      <NameIDFormat>http://schemas.xmlsoap.org/claims/UPN</NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hostname:7444/websso/SsoClient/SSO/vsphere.local" index="0"/>
 </SPSSODescriptor>

The only modifications I've made to the sample are to change the metadata provider, point the keystore to a local file, imported the two certs from the metadata file into the keystore and pointed the extendedMetadata to reference the alias of one of the certs and used the private key as the signingKey

Any ideas what could be going wrong?

1
spring-securityspring-saml
Can you please also attach the SAML Request message sent from Spring SAML? Perhaps there's something irregular in it. But it is clearly an issue in VMWare - it should never fail with a nullpointer and your best chance of troubleshooting this is by contacting VMWare's technical support. - Vladimír Schäfer

1 Answers

0
votes

I changed the private key in my keystore to be an RSA key with sigalg SHA1WithRSA and that seems to have solved this issue. Not sure if the vmware identity server restricts the sigalg or not but either way it looks to be a bug on their end. Just for sake of completeness I created my private key with this command:

keytool -genkey -alias server -keyalg RSA -sigalg SHA1WithRSA -keysize 2048 -keystore mykeystore -dname "CN=www.mycompany.com,OU=it, O=mycompany, L=city, ST=state, C=US" -storepass keystorepass