Facing issue while importing SAML SSO IDP metadata in SP (service provider)

1
votes

I am using Spring SAML extension to connect with ping federate IDP server. I exported the ping federate IDP metadata xml and put it our application (and referring same file in securityContext.xml file). Now when I am trying to start my application then spring saml throwing following exception:

Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from C:\Drive E\workspace\enigma_master\etc\saml\idp.xml
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:399)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNewMetadata(AbstractReloadingMetadataProvider.java:355)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:261)
... 100 more
Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:327)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.processEntityDescriptor(SignatureValidationFilter.java:178)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.doFilter(SignatureValidationFilter.java:156)
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.filterMetadata(AbstractMetadataProvider.java:493)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:395)
... 102 more

I imported the certificate (one that is under tag <ds:X509Certificate>) in my samlkeystore file but still the same issue. I googled the error and as suggested:

  • I tried to remove <ds:Signature> tag from idp xml file.
  • Disabling signature verification by setting property metadataTrustCheck to false in the ExtendedMetadataDelegate bean

above approaches working for me. But I don't want to modify/remove tag from IDP xml file, it should work as it is. Please let me know what wrong I am doing? Also I want to know what is the use of <ds:Signature> tag in metadata xml and why its not working even after importing certificate in samlKeystore file. And what is the meaning of each child tags like <ds:SignedInfo>,<ds:CanonicalizationMethod>, <ds:SignatureMethod>, <ds:Reference>, <ds:Transform>, <ds:DigestMethod>, <ds:DigestValue>, <ds:SignatureValue>.

Sample IDP metadata xml file 

<md:EntityDescriptor ID="jsR9U9qdN-Tjy-hyM5k.nrQmQxF" cacheDuration="PT1440M" entityID="adeptia" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#jsR9U9qdN-Tjy-hyM5k.nrQmQxF">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>slepuncWspzM7KpqKkvsk0SVL8k5yse7FmATDYZhgqE=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>oSkTcfU4DUYPXwtgnN8bjAOnkqgFCojef087d0F4ra1nsrWBOQVC1xesSambwAdOiCtnnhxQqp4b2LeUSazdb0bI5A0U65Wc2MeoyfC/5nAfiso3DCNBaz4vRrlkvzm7MlHyvDzTO0T/+lSVhfIVWbEZ58iXjUdyPgbCBSlY6+GLOW3UfdYV73ewNEyWuaAjJrC4qNgTrTZwBiVD2WNM4qWgRkBxzJz+cgZLbvu/5XRfnNgeYT6OEAR2322okH01GtuuPYB7jgwM2TXJhH6eVR6FapCtJ5aUwUywCdg3YyvzzEqHWW8fDnTLNEbZbokpqbtTwvncMaOb1hhVfZr1pQ==</ds:SignatureValue>
</ds:Signature><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDNDCCAhygAwIBAgIGAVgFivO1MA0GCSqGSIb3DQEBCwUAMFsxCzAJBgNVBAYTAklOMQswCQYDVQQIEwJVUDEOMAwGA1UEBxMFTm9pZGExDTALBgNVBAoTBFBpbmcxDTALBgNVBAsTBFBpbmcxETAPBgNVBAMTCFBpbmdDZXJ0MB4XDTE2MTAyNzA5NDkwMloXDTE3MTAyNzA5NDkwMlowWzELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAlVQMQ4wDAYDVQQHEwVOb2lkYTENMAsGA1UEChMEUGluZzENMAsGA1UECxMEUGluZzERMA8GA1UEAxMIUGluZ0NlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW1OC4pSwb11rUhA8JoZtkqXebWWaw9lZgXQmqFlIpMSbmeTNayQ+cAAtO+4QNLbtmZta1wEs+XJ4ho3Yy7EoaE+ebmiGnwBtqzq9ZHYqqT9RJ8kOaqZpYo/uXAtVPHE4/kH8xLY+lToF+EL4QG1gbi3CO/yTWMPnkGZOJDpcFvTRFWXCmLqgxvjrpt82bG58CUHiwx26vJO7q8OiMqiVIzzzrVqTR0XmyKtiV+5AfK5Qdl7Z9o8zMKl8O4+d/lWfhV21bcU/aj4Wcr3Os3SQm37OP9T4qhSFOWhGe+JOmW+dDUAFg/EeU0yOUF7/xaOk3D2No+SsrJiPogdVCGO2lAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAICZDjz9Hfccvqdo7LopyG+0bKor+Ybh60bzcTPblXSv5v7Zy4JRfQF/k0CbmV7bBTvZ+kgDWXZP4YakfIWivSEDnT+xnVkF+sRlOtLmwmJ3UDRVqRhR8V3aq7YkH4ltzG7B3oS05wpTrYHnb4xgOHx+isX4YzHVP+gHblU36Fo32vhLNoVi1G+7nlZY3iuug6Y9NU7HnppS8vMcRJn8dOvEykmPu/jiq72gcZIhnaszXIx7mJAy9qsg1iNuwSwjVhCRuP+o7xyUpaamlMxRRP2h3LpWGveXcidBe40uI6uFxE+ggE09F29GRCb7X9pPub+C+cnxg/rIKmrqxe/j1wU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService index="0" Location="https://localhost:9031/idp/ARS.ssaml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9031/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9031/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:9031/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:9031/idp/SSO.saml2"/><saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/></md:IDPSSODescriptor><md:ContactPerson contactType="administrative"/></md:EntityDescriptor>
2
javaspring-saml
I'm too facing this issue.. Have you solved this problem?Manoj

2 Answers

0
votes

Often this problem is caused by missing installation of Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8

Also double check that the certificate is really correctly imported to the samlKeystore.jks

0
votes

I'm posting this just in case if it may be helpful.

I too had this problem, I have added IDP's metadata file and imported their certificate into my app keystore. But still had Signature trust verification problem. I did format the metadata.xml from IDP in Intellij, that did some screw up. Once I imported their metadata file as it without formatting, everything went ok.