"Signature did not validate against the credential's key" with Junos as IdP

Question

I've implemented SSO using Spring SAML and everything is working fine for an interaction with idp.ssocircle.com.

Now I am trying to use another identity provider. I have downloaded the metadata of the IdP and have linked it in my spring XML config. I have also uploaded the metadata of the service provider to the iDP and have linked it in the spring XML config.

I am redirected to the login page of my IdP and can successful enter my credentials. But an error like that appears "Signature did not validate against the credential's key".

There is another stackoverflow post which describes a similiar problem, see "HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid" with Salesforce as IdP for implementating SSO

But I have problems to follow the solution, because my SAML response captured by Fiddler does not contain an element like "X509Certificate".

Edit(!):But I have to say that the metadata of my identity provider contains a element like "ds:X509Certificate" in "ds:keyInfo" with some content. But there also another empty "ds:keyInfo"-Element with an empty "ds:X509Data"-Element.

Is there something wrong with the configuration of the identity provider?

Can anybody tell my what is happening here?

Complete log file: https://drive.google.com/file/d/0B3RlRCEjz-cvZGQ5aldzaUc0blE/edit?usp=sharing

Thanks in advance,

Andi

I wanted to attach the saml response, the log entries and my xml config, but I don't have enough reputation. — nocheinAndi, Jul 16 '14 at 13:53
You can upload the logs to some public service like Google Drive or Drop Box and post the link. Please make sure to enable debug level logging as is described in the Spring SAML manual, so that all it's possible to see all the exchanged messages. — Vladimír Schäfer, Jul 16 '14 at 14:29

score 9 · Accepted Answer · answered Jul 17 '14 at 14:55

It seems that the Response message is signed using a different certificate than what is included in the IdP metadata. You should ask your IdP to tell you what certificates they use for their signatures and add them to their metadata file. Based on what you say it could also be that the metadata file is simply incomplete or corrupted.

The other option is to add the certificate they provide you to the samlKeystore.jks (and remember the alias). Then define the alias as signingKey on the ExtendedMetadata of your IdP's metadata definition in Spring configuration. You can find details on using the ExtendedMetadata in the Spring SAML manual.

The fact that the key is not included in the Response message is not wrong, Spring SAML knows which keys to use from the metadata and ExtendedMetadata configuration.

I have decoded the certificate in the metadata and it really was the wrong certificate in the metadata of my identity provider. I have replaced the metadata-file with a correct one and everything works fine. Thanks! — nocheinAndi, Jul 22 '14 at 09:31

"Signature did not validate against the credential's key" with Junos as IdP

1 Answers1