Announcement Announcement Module
No announcement yet.
Signature did not validate against the credential's key Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Signature did not validate against the credential's key

    I have the sample application working with SSO Circle and am trying to get it working with AD FS 2.0. For now I am using the sample keystore, samlKeystore.jks. On AD FS, I created a self-signed certificate. AD FS shows 3 certificates for Service communications, token-decrypting and token-signing. I imported the Service communications certificate into samlKeystore.jks.

    AD FS receives the AuthNRequest ok. I login and recieve "Validation of protocol message signature failed". The application's INFO log shows:

    SAML protocol message was not signed, skipping XML signature processing
    Signature verification failed.

    A DEBUG log shows:

    Signature validated with key from supplied credential
    Signature validation using candidate credential was successful
    Successfully verified signature using KeyInfo-derived credential
    Attempting to establish trust of KeyInfo-derived credential
    Failed to validate untrusted credential against trusted key
    Failed to establish trust of KeyInfo-derived credential
    Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
    Attempting to verify signature using trusted credentials
    Attempting to validate signature using key from supplied credential
    Creating XMLSignature object
    Validating signature with signature algorithm URI:
    Validation credential key algorithm 'RSA', key instance class ''
    SignatureMethodURI =
    jceSigAlgorithm = SHA1withRSA
    jceSigProvider = SunRsaSign
    PublicKey = Sun RSA public key, 2048 bits
    modulus: ...
    public exponent: 65537
    Canonicalized SignedInfo:...
    Signature verification failed.
    Signature did not validate against the credential's key
    Signature validation using candidate validation credential failed
    Failed to verify signature using either KeyInfo-derived or directly trusted credentials

    I tried importing the AD FS signing certificate into the keystore and changing the signingKey in SP metadata from apollo to the alias I used when importing the signing certificate. That fails earlier.

    Some questions are:
    Is it ok to use a self-signed certificate on the AD FS server?
    What should I import to samlKeystore.jks?

    Any insights into this problem are MUCH appreciated.


  • #2
    I no longer have the above problem. I installed a real certificate and re-downloaded IDP metadata. The debug log now shows:

    SAML message intended destination endpoint matched recipient endpoint
    Authentication attempt using onProvider
    Received response has invalid status code
    Marshalling message
    Marshalling message



    • #3
      Hi Mark,

      The SAML Extension manual contains a step-by-step guide on how to setup federation with ADFS in chapter 6.1. It might contain some step which was omitted in your setup. As the ADFS is replying with a non-success status code there should be some reason for it logged on the ADFS side, you should check its logs.

      Vladimír Schäfer


      • #4
        Thanks Vladimir, it is working now with AD FS. One thing I had to do was replace the jce policy files as described in Thanks for a great product, great packaging and great code that helps resolving problems.



        • #5
          I'm glad you got it working. The mention of updating the cryptography settings will get included in the manual.