Announcement Announcement Module
Collapse
No announcement yet.
Getting error Signature trust establishment failed for metadata entry Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Getting error Signature trust establishment failed for metadata entry

    I'm trying to integrate with a saml idp and I'm using the spring saml extension. I can get the sample to work fine when the idp is not signing metadata file

    when it is signed it fails validation with the following error:

    Signature trust establishment failed for metadata entry
    Caused by: org.opensaml.saml2.metadata.provider.FilterExcepti on: Signature trust establishment failed for metadata entry
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.verifySignature(SignatureValidationFi lter.java:311)
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.processEntityDescriptor(SignatureVali dationFilter.java:176)
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.doFilter(SignatureValidationFilter.ja va:154)
    at org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider.filterMetadata(AbstractMetadataProvide r.java:482)
    at org.opensaml.saml2.metadata.provider.AbstractReloa dingMetadataProvider.processNonExpiredMetadata(Abs tractReloadingMetadataProvider.java:3

    I'm struggling to work out what the problem is and could do with some pointers as there is not much documentation.

    To give a bit of background:

    - I've generated the sp metadata from the application then fed this into our Ping Server (Application that provides Federated SSO) to configure the Service Provider
    - Admin team have then generated idp metadata signed for this service provider and I've configured this in the application.

    I can't see how the metadatafilter is configured and I'm not sure what missing.

  • #2
    Did you ever get signed metadata working? I'm implementing this and am having the same problem...

    thanks in advance,
    Mark

    Comment


    • #3
      Hi,

      By default SAML Extension tries to verify trust of the signature in metadata with PKIX using all keys found in the configured keystore (bean keyManager, default file security/samlKeystore.jks). So the first thing to do is import the public certificate of the metadata signature (or of it's CA + intermediary CA's) to the keystore. This should make the verification pass unless certificate is e.g. expired.

      You can also disable trust checking of the signature by setting property metadataTrustCheck to false on the ExtendedMetadataDelegate bean which includes your IDP metadata. Also, the signature of metadata can be manually removed which will make the system not complain anymore.

      Hope this helps,
      Vladimír Schäfer

      Comment


      • #4
        Thank-you Vladimir! This helped me get past the signed metadata problem.

        Comment

        Working...
        X