Announcement Announcement Module
Collapse
No announcement yet.
Error validating SAML message Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Error validating SAML message

    We're trying to setup Spring Security with the SAML bit as an SP. We're going against a Novell Access Manager IDP. We think everything is okay on both ends, but when we try to login, the SP (spring security) barfs with this error:

    Authentication request failed - Error validating SAML message

    The catalina.out on the spring side shows (well this is a snippet of it):

    Code:
    - Single certificate was present, treating as end-entity certificate
    - Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
    - A total of 1 credentials were resolved
    - Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
    - Attempting to validate signature using key from supplied credential
    - Creating XMLSignature object
    - Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
    - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
    - Signature validated with key from supplied credential
    - Signature validation using candidate credential was successful
    - Successfully verified signature using KeyInfo-derived credential
    - Attempting to establish trust of KeyInfo-derived credential
    - Failed to validate untrusted credential against trusted key
    - Successfully validated untrusted credential against trusted key
    - Successfully established trust of KeyInfo-derived credential
    - Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}ArtifactResponse
    - Authentication via protocol message signature succeeded for context issuer entity ID https://nam-idp-test.something.com/nidp/saml2/metadata
    - Successfully decoded message.
    - Checking SAML message intended destination endpoint against receiver endpoint
    - SAML message intended destination endpoint in message was empty, not required by binding, skipping
    - Extracting ID, issuer and issue instant from status response
    - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
    - SAML protocol message was not signed, skipping XML signature processing
    - Successfully decoded message.
    - Checking SAML message intended destination endpoint against receiver endpoint
    - SAML message intended destination endpoint in message was empty, not required by binding, skipping
    - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
    - AuthNResponse;FAILURE;134.179.227.253
    - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
    - Updated SecurityContextHolder to contain null Authentication
    - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@7e91259
    - No failure URL set, sending 401 Unauthorized error
    - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
    - SecurityContextHolder now cleared, as request processing completed
    - Executing metadata refresh task

  • #2
    How are you getting the spring-security-saml2-core artifact, are you building it from source ?

    If so, how are you getting the source ? Are you cloning and building from master ?

    Comment


    • #3
      This impacted me as well in the past week, I modified SAMLAutenticationProvider.java locally to fix the problem.

      The root cause of the issue was a defect introduced during a recent refactoring (says Vladimir).

      He says the problem has now been fixed on master, so do a git fetch/merge and rebuild, redeploy.

      Comment


      • #4
        I am still getting "HTTP Status 401 - Authentication Failed: Error validating SAML message
        description This request requires HTTP authentication (Authentication Failed: Error validating SAML message)."

        Are you sure this issue has been fixed or the fix is in the git? Can you please verify?

        Comment

        Working...
        X