Announcement Announcement Module
Collapse
No announcement yet.
Metadata Generator: Digital Signature Invalid Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Metadata Generator: Digital Signature Invalid

    I am using version 1.0.0-RC1 of Spring Security SAML on a Java 1.6 platform. I have successfully integrated Spring Security SAML and have a functioning SP connected to a few different flavors of IdP. While exchanging metadata with one of our clients, we were alerted to an error when the SP metadata was consumed by the Oracle OIM software used by our clients for their IdP. The error indicates the digital signature on the SP metadata is invalid.

    I am using the MetadataGenerator (org.springframework.security.saml.metadata.Metada taGenerator) to auto-generate the SP metadata. The metadata is generated from the web resource, saved, and then sent to the client where it is consumed by their IdP software. The client was able to remove the digital signature components from the metadata, successfully load the metadata file, and successfully negotiate a SSO handshake with our SP. In addition, as the assertions are all signed, it appears that the digital signature problem is limited to only the SP metadata XML.

    I ran the metadata file through an external digital signature verification tool, and the digital signature appears to be invalid. I have verified that the certificate used in the metadata is correct and identical to the RFC output directly from keytool. I have ensured that no web browser formatting is altering the metadata file by running the file through a canonicalizer after retrieving it from the web resource. I have reviewed our system configuration, but the configuration on all of the MetadataGenerator related beans is pretty standard.

    I can provide further information upon request. Any insight would be greatly appreciated.

  • #2
    This should related to the XSW attach described here:
    https://www.usenix.org/system/files/...12-final91.pdf

    As you can see the <ds:Reference URI=""> is blank, which make it vulnerable , that is why it has been rejected by other IAM platform. I suspect this will also affect the signed authnRequest part. Somebody knows the code better need to fix it.

    Comment


    • #3
      The issue has been already fixed, please update to the latest Spring SAML. You can also explicitly set property "id" on the MetadataGenerator bean as a workaround in your current version.

      Comment


      • #4
        It has been rejected by other IAM platform. Now I update to the latest spring SAML and it really working well.
        Thanks for sharing


        ------------
        digital signature
        Apply digital signatures in a wide range of content authoring applications and file types.

        Comment

        Working...
        X