I'm trying to use the Spring SAML sample app to connect to a Shibboleth IdP but have run into a signature validation issue that I haven't been able to resolve.
When the sample app gets the response from the IdP, an exception is thrown with the following:
Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138)
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)
With the log containing
- Creating XMLSignature object
- Validating signature with signature algorithm URI: http://www.w3.org /2001/04/xmldsig-more#rsa-sha256
- Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
- Signature validated with key from supplied credential
- Signature validation using candidate credential was successful
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Failed to establish trust of KeyInfo-derived credential
so it looks like the signature is being validated but the key is not trusted. What I can't figure out is how to "establish" the trust.
I set up the sample app by
Copying the IdP metadata to the sample app and loading it by adding this to securityContext.xml
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> <constructor-arg> <list> <!-- Example of classpath metadata with Extended Metadata --> <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider"> <constructor-arg> <bean class="java.util.Timer"/> </constructor-arg> <constructor-arg> <bean class="org.opensaml.util.resource.ClasspathResource"> <constructor-arg value="/metadata/twoss-metadata.xml"/> </bean> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> <property name="signingKey" value="shib-signing"/> <property name="trustedKeys" value="shib-signing"/> </bean> </constructor-arg> <property name="metadataTrustCheck" value="false"/> </bean> </list> </constructor-arg>
Configuring the SP metadata like so
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> <constructor-arg> <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> <property name="entityId" value="urn:test:dan:vancouver"/> <property name="extendedMetadata"> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> <property name="signMetadata" value="false"/> <property name="idpDiscoveryEnabled" value="true"/> </bean> </property> </bean> </constructor-arg>
And finally, I added the signing certificate generated during the Shibboleth installation to the sample app's keystore
keytool -importcert -alias shib-signing -file idp-signing.crt -keystore samlKeystore.jks
So, the question is, what do I need to do to get the trust established?
Note that both the sample app and shibboleth are in a development environment and are not using CA-signed certificates for either signing or encryption purposes.