Announcement Announcement Module
Collapse
No announcement yet.
Problem with IDP integration Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with IDP integration

    I am trying to integrate IDP that is implemented by James Cox with spring security extension. Project could be found here http://spring-saml.svn.sourceforge.net/

    I have changed code, so that IDP reads public key from keystore (I have imported IDP certificate to SP keystore and viceversa).

    AuthnRequest sent is from spring SP, and it's signature is properly validated on James IDP. But problem arise when IDP sends Response to SP. SP cannot validate message signature.

    Anyone have a clue?

    Also to note

    While executing following method, validate method always returns false, because there is no credentals!
    org.opensaml.xml.security.trust.ExplicitKeyTrustEv aluator.validate(Credential, Iterable<Credential>)

    Code:
        public boolean validate(Credential untrustedCredential, Iterable<Credential> trustedCredentials) {
    
            for (Credential trustedCredential : trustedCredentials) {
                if (validate(untrustedCredential, trustedCredential)) {
                    return true;
                }
            }
            return false;
        }

    Bellow is stacktrace


    Code:
    2013-02-22 22:04:45,722 DEBUG: org.opensaml.xml.security.SigningUtil - Verifying signature over input using public key of type RSA and JCA algorithm ID SHA1withRSA
    2013-02-22 22:04:46,486 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Successfully verified signature using supplied candidate credential
    2013-02-22 22:04:47,022 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Attempting to establish trust of supplied candidate credential
    2013-02-22 22:04:59,082 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Failed to establish trust of supplied candidate credential
    2013-02-22 22:05:20,340 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Attempting to verify signature using trusted credentials
    2013-02-22 22:05:25,212 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Failed to verify signature using either supplied candidate credential or directly trusted credentials
    2013-02-22 22:05:40,829 WARN : org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule - Signature validation using request-derived credentials failed
    Feb 22, 2013 10:05:45 PM org.apache.catalina.core.StandardWrapperValve invoke
    SEVERE: Servlet.service() for servlet [default] in context with path [/spring-security-saml2-sample] threw exception
    org.opensaml.common.SAMLRuntimeException: Incoming SAML message is invalid
    	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:93)
    	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:184)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:155)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    	at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:78)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:184)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:155)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
    	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    	at java.lang.Thread.run(Thread.java:722)
    Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of request simple signature failed for context issuer
    	at org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule.doEvaluate(BaseSAMLSimpleSignatureSecurityPolicyRule.java:139)
    	at org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule.evaluate(BaseSAMLSimpleSignatureSecurityPolicyRule.java:103)
    	at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
    	at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
    	at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
    	at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
    	at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
    	at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
    	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)
    	... 29 more
    
    2013-02-22 22:05:45,058 WARN : org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule - Validation of request simple signature failed for context issuer: idp
    2013-02-22 22:05:45,058 DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    2013-02-22 22:05:45,058 DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    Last edited by roboto; Feb 22nd, 2013, 05:09 PM.

  • #2
    Ok. I have solved problem with message signing. In the IDP.XML i forgot to set entityID to my ID.

    Comment

    Working...
    X