Announcement Announcement Module
No announcement yet.
Getting error Signature trust establishment failed for metadata entry Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Getting error Signature trust establishment failed for metadata entry

    I'm trying to integrate with a saml idp and I'm using the spring saml extension. I can get the sample to work fine when the idp is not signing metadata file

    when it is signed it fails validation with the following error:

    Signature trust establishment failed for metadata entry
    Caused by: org.opensaml.saml2.metadata.provider.FilterExcepti on: Signature trust establishment failed for metadata entry
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.verifySignature(SignatureValidationFi
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.processEntityDescriptor(SignatureVali
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.doFilter(SignatureValidationFilter.ja va:154)
    at org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider.filterMetadata(AbstractMetadataProvide
    at org.opensaml.saml2.metadata.provider.AbstractReloa dingMetadataProvider.processNonExpiredMetadata(Abs

    I'm struggling to work out what the problem is and could do with some pointers as there is not much documentation.

    To give a bit of background:

    - I've generated the sp metadata from the application then fed this into our Ping Server (Application that provides Federated SSO) to configure the Service Provider
    - Admin team have then generated idp metadata signed for this service provider and I've configured this in the application.

    I can't see how the metadatafilter is configured and I'm not sure what missing.

  • #2
    Did you ever get signed metadata working? I'm implementing this and am having the same problem...

    thanks in advance,


    • #3

      By default SAML Extension tries to verify trust of the signature in metadata with PKIX using all keys found in the configured keystore (bean keyManager, default file security/samlKeystore.jks). So the first thing to do is import the public certificate of the metadata signature (or of it's CA + intermediary CA's) to the keystore. This should make the verification pass unless certificate is e.g. expired.

      You can also disable trust checking of the signature by setting property metadataTrustCheck to false on the ExtendedMetadataDelegate bean which includes your IDP metadata. Also, the signature of metadata can be manually removed which will make the system not complain anymore.

      Hope this helps,
      Vladimír Schäfer


      • #4
        Thank-you Vladimir! This helped me get past the signed metadata problem.