8

I'm trying to use the Spring SAML sample app to connect to a Shibboleth IdP but have run into a signature validation issue that I haven't been able to resolve.

When the sample app gets the response from the IdP, an exception is thrown with the following:

Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138)
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)

With the log containing

- Creating XMLSignature object
- Validating signature with signature algorithm URI: http://www.w3.org   /2001/04/xmldsig-more#rsa-sha256
- Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
- Signature validated with key from supplied credential
- Signature validation using candidate credential was successful
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Failed to establish trust of KeyInfo-derived credential

so it looks like the signature is being validated but the key is not trusted. What I can't figure out is how to "establish" the trust.

I set up the sample app by

  1. Copying the IdP metadata to the sample app and loading it by adding this to securityContext.xml

    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <!-- Example of classpath metadata with Extended Metadata -->
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
                        <constructor-arg>
                            <bean class="java.util.Timer"/>
                        </constructor-arg>
                        <constructor-arg>
                            <bean class="org.opensaml.util.resource.ClasspathResource">
                                <constructor-arg value="/metadata/twoss-metadata.xml"/>
                            </bean>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                                <property name="signingKey" value="shib-signing"/>
                                <property name="trustedKeys" value="shib-signing"/>
                    </bean>
                </constructor-arg>
                     <property name="metadataTrustCheck" value="false"/>
            </bean>
        </list>
    </constructor-arg>
    

  2. Configuring the SP metadata like so

    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                <property name="entityId" value="urn:test:dan:vancouver"/>
            <property name="extendedMetadata">
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                          <property name="signMetadata" value="false"/>
                    <property name="idpDiscoveryEnabled" value="true"/>
                </bean>
            </property>
        </bean>
    </constructor-arg>
    

  3. And finally, I added the signing certificate generated during the Shibboleth installation to the sample app's keystore

    keytool -importcert -alias shib-signing -file idp-signing.crt -keystore samlKeystore.jks
    

    So, the question is, what do I need to do to get the trust established?

Note that both the sample app and shibboleth are in a development environment and are not using CA-signed certificates for either signing or encryption purposes.

Dan Ciarniello
  • 193
  • 1
  • 2
  • 9

0 Answers0