Spring SAML exception with Tomcat/ADFS integration

0
votes

I downloaded the Sprind SAML sample app and its working fine in my local tomcat (against SSOCircle). Then I added a new SP to point to ADFS in our company. I was having several issues and solved them one by one. Now I am able to send the request and getting a valid saml response and assertion token as well. However i get the following error message:

I did follow some old threads (thanks to Vladimír Schäfer) and imported the public key to samlKeystore.jks and still getting the same error. Any help is appreciated.

ERROR DETAILS:

  • Canonicalized SignedInfo:
  • QCZQsG03PFbYdFMyX2UaO2rXSXA=
  • verify 1 References
  • I am not requested to follow nested Manifests
  • setElement("ds:Reference", "")
  • setElement("ds:Transforms", "")
  • Request for URI .w3.org/2000/09/xmldsig#sha1
  • I was asked to create a ResourceResolver and got 0
  • check resolvability by class org.apache.xml.security.utils.resolver.ResourceResolver
  • State I can resolve reference: "#_28691d8f-b0ab-4c19-ad32-4c60fada6e90"
  • Try to catch an Element with ID _28691d8f-b0ab-4c19-ad32-4c60fada6e90 and Element was [Assertion: null]
  • setElement("ds:Transform", "")
  • Perform the (0)th .w3.org/2000/09/xmldsig#enveloped-signature transform
  • setElement("ds:Transform", "")
  • Pre-digested input:
  • http://adfs.mycompany.com/adfs/services/trustrobertRYYGWLoginrobertRurn:federation:authentication:windows
  • Verification successful for URI "#_28691d8f-b0ab-4c19-ad32-4c60fada6e90"
  • The Reference has Type
  • Signature validated with key from supplied credential
  • Signature validation using candidate credential was successful
  • Successfully verified signature using KeyInfo-derived credential
  • Attempting to establish trust of KeyInfo-derived credential
  • Failed to validate untrusted credential against trusted key
  • Failed to validate untrusted credential against trusted key
  • Failed to validate untrusted credential against trusted key
  • Failed to establish trust of KeyInfo-derived credential
  • Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
  • Attempting to verify signature using trusted credentials
  • Attempting to validate signature using key from supplied credential
  • Creating XMLSignature object
  • Validating signature with signature algorithm URI: .w3.org/2000/09/xmldsig#rsa-sha1
  • Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
  • signatureMethodURI = .w3.org/2000/09/xmldsig#rsa-sha1
  • jceSigAlgorithm = SHA1withRSA
  • jceSigProvider = SunRsaSign
  • PublicKey = Sun RSA public key, 2048 bits modulus: 23431177975394 public exponent: 65537
  • Canonicalized SignedInfo:
  • QCZQsG03PFbYdFMyX2UaO2rXSXA=
  • Signature verification failed.
  • Signature did not validate against the credential's key
  • Signature validation using candidate validation credential failed org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:110) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49) at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:267) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:292) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:724)
  • Attempting to validate signature using key from supplied credential
  • Creating XMLSignature object
  • Validating signature with signature algorithm URI: .w3.org/2000/09/xmldsig#rsa-sha1
  • Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
  • signatureMethodURI = .w3.org/2000/09/xmldsig#rsa-sha1
  • jceSigAlgorithm = SHA1withRSA
  • jceSigProvider = SunRsaSign
  • PublicKey = Sun RSA public key, 2048 bits modulus: 2179836566179054962 public exponent: 65537
  • Canonicalized SignedInfo:
  • QCZQsG03PFbYdFMyX2UaO2rXSXA=
  • Signature verification failed.
  • Signature did not validate against the credential's key
  • Signature validation using candidate validation credential failed org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:110) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
1
springsecurityspring-samladfs3.0

1 Answers

0
votes

below might help you, please verify your idp.xml has same public as your IDP/IDP Realm . Make sure IDP and Application in same timeZone/Time.