2

I have looked at many questions including https://stackoverflow.com/a/25384924/1317559. I have the IdP metadata and certificate, but can't seem to get Spring so see it.

  • Added the certificate to the keystore: keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file certificate.crt
  • In the metadata there are multiple certificates (2 different ones) and a SignatureValue.
  • I tried to add the signature value with the same keytool command, but it is not a certificate.
  • I tried to add the 2 certificates found in the metadata also.

I enabled debugging log and this is what I get:

  • Successfully verified signature using KeyInfo-derived credential
  • Attempting to establish trust of KeyInfo-derived credential
  • Supplied trusted names are null or empty, skipping name evaluation
  • Attempting PKIX path validation on untrusted credential: [subjectName='O=novell,OU=accessManager,CN=test-signing']
  • PKIX path construction failed for untrusted credential: [subjectName='O=novell,OU=accessManager,CN=test-signing']: unable to find valid certification path to requested target
  • Signature trust could not be established via PKIX validation of signing credential
  • Failed to establish trust of KeyInfo-derived credential
  • Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
  • PKIX validation of signature failed, unable to resolve valid and trusted signing key
  • Signature trust establishment failed for metadata entry http://idp.ppd.com/nidp/saml2/metadata
  • Error filtering metadata from http://idp.ppd.com/nidp/saml2/metadata org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:312)
Community
  • 1
  • 1
Yster
  • 3,147
  • 5
  • 32
  • 48
  • This problem was fixed. There were many problems in fact. I am using the Spring SAML sample application: Need to add the public certificate (the first one after the signature, in the idp metadata) to the samlKeystore.jks under Other sources, security. The password is nalle123 . Don't put anything in the securityContext.xml file. – Yster Jan 28 '15 at 15:40

3 Answers3

5

The Spring SAML manual describes metadata trust verification in chapter 7.2.4. One option is to disable the trust check, or manually remove the signature XML from metadata. Just like you found out, the certificate to import to samlKeystore.jks is the one used to produce the metadata signature, not the signing/encryption certificates for specific SP or IDP entities.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • Thanks for the advice Vladimir. Found a lot of help in your other posts too. – Yster Jan 29 '15 at 16:11
  • I would like to ask another question, but is seems I cannot: I sent my SP metadata to someone hosting an IdP, but there is a format problem on their side with the ID or entityID. This what they both are: urn:test:sso:degicom:com . Now I need to change the format and give different values to both. But how can I change the ID? – Yster Jan 29 '15 at 16:21
  • The correct way is to open a completely new question, not update an existing one. You can set ID element in bean MetadataGenerator, it has a property "ID". Also, make sure you're using Spring SAML 1.0.0.RELEASE, the previous version had a bug which could include unaccepted characters in the automatically generated ID - perhaps that's the issue you're hitting. – Vladimír Schäfer Jan 30 '15 at 07:45
  • I was blocked from asking a new question. Thanks for the solution to the second question Vladimir! I'm marking this one as the answer although my answer below is actually the solution to the first question. – Yster Feb 03 '15 at 07:44
1

Also worth noting: Don't change the signed file - happened to me when I reformatted the ADFS generated one-liner. Obviously changes the file's signature.

Thomas
  • 1,119
  • 9
  • 24
0

This problem was fixed. There were many problems in fact. I am using the Spring SAML sample application:

  • Need to add the public certificate (the first one after the signature, in the idp metadata) to the samlKeystore.jks under Other sources, security.
  • The password is nalle123 .
  • Don't put anything in the securityContext.xml file.
Yster
  • 3,147
  • 5
  • 32
  • 48
  • Hi Yster, I am facing similar problem. Can you please elaborate how you fix these problems ? Mainly following points I did not get .The password is nalle123 . Don't put anything in the securityContext.xml file. – Mahesh Oct 28 '16 at 14:27