I am working on a project that re-uses https://github.com/vdenotaris/spring-boot-security-saml-sample to integrate with Azure AD as IDP.
The integration went pretty smoothly. The only thing I couldn't fix was metadata trust check.
According to https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/chapter-idp-guide.html it's recommended to set metadataTrustCheck to false to skip signature validation
However, I'd like to ask if it's possible to use metadata trust check with Azure.
To recreate, set IDP metadata url to https://login.microsoftonline.com/sample.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
set metadataTrustCheck to true for WebSecurityConfig#extendedMetadataProvider
and import login.microsoftonline.com SSL cert into samlKeystore.jks
2018-01-23 09:58:05.450 DEBUG 9924 --- [localhost-startStop-1] o.o.xml.signature.SignatureValidator : Signature validated with key from supplied credential
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Signature validation using candidate credential was successful
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.x.s.x.BasicX509CredentialNameEvaluator : Supplied trusted names are null or empty, skipping name evaluation
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Attempting PKIX path validation on untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
2018-01-23 09:58:05.458 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Building certificate path using default security provider
2018-01-23 09:58:05.466 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:1.8.0_161]
at java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator.validate(CertPathPKIXTrustEvaluator.java:85) ~[spring-security-saml2-core-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
The issue doesn't happen with ssocircle metadata https://idp.ssocircle.com/idp-meta.xml
