org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

Question

I am getting the below exception while I am trying to run my server after configuring my IDP in securityContext.xml.

Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

I saw there is a workaround in http://forum.spring.io/forum/spring-projects/security/saml/108450-getting-error-signature-trust-establishment-failed-for-metadata-entry link where it says, by setting property metadataTrustCheck to false on the ExtendedMetadataDelegate bean which includes your IDP metadata.

But I don't want to update the saml2 core api, instead, is possible to set metadataTrustCheck in the securityContext.xml. If so, how to set it up. I tried as given below. But still getting the same error.

<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/MyMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>

My MetadataManager is defined as follows:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                <!-- URL containing the metadata -->
                <constructor-arg>
                    <value type="java.lang.String">https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
                </constructor-arg>
                <!-- Timeout for metadata loading in ms -->
                <constructor-arg>
                    <value type="int">5000</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                <!-- URL containing the metadata -->
                <constructor-arg>
                    <value type="java.lang.String">https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
                </constructor-arg>
                <!-- Timeout for metadata loading in ms -->
                <constructor-arg>
                    <value type="int">5000</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

Please help on this. Thanks.

Hey Vladimir, Nice to hear from you. I am using, spring-security-saml2-core:1.0.1.BUILD-SNAPSHOT.jar. I have not changed any of the exiting core API code. — Kannan, Oct 08 '14 at 06:47
Initially I used your saml2-core source and modified the metadataTrustCheck to false in the ExtendedMetadataDelegate.java file and built the jar file. It worked well. Now I am trying to use the SNAPSHOT where the above mentioned change wont be there. Instead I can override the metadataTrustCheck value in securityContext.xml by using . correct me if I am wrong. — Kannan, Oct 08 '14 at 06:59
I was asking about the CachingMetadataManaer bean configuration, not sources - I want to see how your Spring configuration looks like. The metadtaTrustCheck should work just fine, I suspect you set it on wrong metadata provider. Setting metadataTrustCheck to false is the correct approach. — Vladimír Schäfer, Oct 08 '14 at 07:10
In this comment line, i am not able to add the bean. is there any other way to share it. — Kannan, Oct 08 '14 at 07:31
You can always edit your question and add more content there. — Vladimír Schäfer, Oct 08 '14 at 10:06

score 2 · Accepted Answer · answered Oct 08 '14 at 10:06

Only some of your MetadataProviders were wrapped in the ExtendedMetadataDelegate. You must set the metadataTrustCheck flag to false on each MetadataProvider which should be skipping the trust check, not just on some of them. Define the metadata provider as follows and your problem should be gone:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                        <!-- URL containing the metadata -->
                        <constructor-arg>
                            <value type="java.lang.String">
                                https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml
                            </value>
                        </constructor-arg>
                        <!-- Timeout for metadata loading in ms -->
                        <constructor-arg>
                            <value type="int">5000</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                        <!-- URL containing the metadata -->
                        <constructor-arg>
                            <value type="java.lang.String">
                                https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml
                            </value>
                        </constructor-arg>
                        <!-- Timeout for metadata loading in ms -->
                        <constructor-arg>
                            <value type="int">5000</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

I have the same problem. Marked every ExtendedMetadataDelegate bean with metadataTrustCheck as false, but still get the same error. Config file available [here](https://gist.github.com/mohnish82/ad7501b1b585c9f881b2). — Mohnish, Oct 24 '14 at 16:39

score 2 · Answer 2 · answered Aug 11 '15 at 06:52

In the Java Config version, I had to manually call the initialize method against the metadataProvider object after I set the trust check flag to false.

@SamlBeanAnnotation
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException, ResourceException {
    List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
    for (String file: getSamlProviders()) {
        ResourceBackedMetadataProvider metadataProvider = new ResourceBackedMetadataProvider(new Timer(),
                new org.opensaml.util.resource.ClasspathResource("/" + file.trim()));
        metadataProvider.setParserPool(parserPool());

        ExtendedMetadataDelegate extendedMetadataDelegate =
            new ExtendedMetadataDelegate(metadataProvider, new ExtendedMetadata());
        extendedMetadataDelegate.setMetadataTrustCheck(false);
        extendedMetadataDelegate.setMetadataRequireSignature(false);
        metadataProvider.initialize();
        providers.add(metadataProvider);
    }

    CachingMetadataManager cachingMetadataManager= new CachingMetadataManager(providers);
    return cachingMetadataManager;
}

org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

2 Answers2