PDA

View Full Version : Trust problem


henrikab
Dec 16th, 2011, 11:09 AM
Hi,

Im new to the SAML extention of spring security, and am facing a strange problem in the development environment.
We have set up a Windows 2008r2 server with AD FS 2.0
We use OpenSAML 2.5.2, springsecurity_3.0.7 and the latest build of springsecurity SAML with commit hash: 5b431458626222d96316aff8cbcea76cdc915a2e

We have added the CA cert from the server to both the jre keystore, aswell as the project keystore.

The problem we face is on the return from the IDP.

We have looked into the X509TrustManager, and seen that it handles the server credentials and certificate.

So what we dont quite get, is what causes the CertificateException.



org.opensaml.common.SAMLRuntimeException: Error decoding incoming SAML message
at org.springframework.security.saml.SAMLProcessingFi lter.attemptAuthentication(SAMLProcessingFilter.ja va:91)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:168)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.authentication.ui .DefaultLoginPageGeneratingFilter.doFilter(Default LoginPageGeneratingFilter.java:91)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.saml.metadata.Metadat aGeneratorFilter.doFilter(MetadataGeneratorFilter. java:70)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
at com.qmplus.common.util.datasource.DataSourceFilter .doFilter(DataSourceFilter.java:85)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:563)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:399)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProc essor.java:303)
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHan dler.process(AjpProtocol.java:183)
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHan dler.process(AjpProtocol.java:169)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProce ssor.run(JIoEndpoint.java:311)
at java.util.concurrent.ThreadPoolExecutor$Worker.run Task(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.opensaml.ws.message.decoder.MessageDecodingExc eption: Could not decode artifact response message.
at org.springframework.security.saml.websso.ArtifactR esolutionProfileBase.resolveArtifact(ArtifactResol utionProfileBase.java:123)
at org.opensaml.saml2.binding.decoding.HTTPArtifactDe coderImpl.doDecode(HTTPArtifactDecoderImpl.java:94 )
at org.opensaml.ws.message.decoder.BaseMessageDecoder .decode(BaseMessageDecoder.java:75)
at org.opensaml.saml2.binding.decoding.BaseSAML2Messa geDecoder.decode(BaseSAML2MessageDecoder.java:69)
at org.springframework.security.saml.processor.SAMLPr ocessorImpl.retrieveMessage(SAMLProcessorImpl.java :105)
at org.springframework.security.saml.processor.SAMLPr ocessorImpl.retrieveMessage(SAMLProcessorImpl.java :172)
at org.springframework.security.saml.SAMLProcessingFi lter.attemptAuthentication(SAMLProcessingFilter.ja va:79)
... 37 more
Caused by: org.opensaml.ws.message.decoder.MessageDecodingExc eption: Error when sending request to artifact resolution service.
at org.springframework.security.saml.websso.ArtifactR esolutionProfileImpl.getArtifactResponse(ArtifactR esolutionProfileImpl.java:108)
at org.springframework.security.saml.websso.ArtifactR esolutionProfileBase.resolveArtifact(ArtifactResol utionProfileBase.java:98)
... 43 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Peer SSL/TLS certificate is not trusted, add the certificate to your trust store and update tlsKey in extended metadata with the certificate alias
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:632)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedO utputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputS tream.java:123)
at org.apache.commons.httpclient.methods.EntityEnclos ingMethod.writeRequestBody(EntityEnclosingMethod.j ava:506)
at org.apache.commons.httpclient.HttpMethodBase.write Request(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execu te(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.e xecuteWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.e xecuteMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:346)
at org.springframework.security.saml.websso.ArtifactR esolutionProfileImpl.getArtifactResponse(ArtifactR esolutionProfileImpl.java:96)
... 44 more
Caused by: java.security.cert.CertificateException: Peer SSL/TLS certificate is not trusted, add the certificate to your trust store and update tlsKey in extended metadata with the certificate alias
at org.springframework.security.saml.trust.X509TrustM anager.checkServerTrusted(X509TrustManager.java:79 )
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:1198)
... 61 more
pkennedy
Dec 27th, 2011, 03:15 PM
I'm encountering the same issue. Using /usr/java/default/bin/keytool I added the contents of idp.crt file to samlKeystore.jks and to /usr/java/default/jre/lib/security/cacerts, using the alias 'shib-idp', and trusting the cert on import.

I also updated my sample web app's securityContext.xml to contain a reference to the 'shib-idp' alias in ExtendedMetadata:

<bean class="org.springframework.security.saml.metadata.Extende dMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMet adataProvider">
<constructor-arg>
<value type="java.io.File">classpath:security/idp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.Extende dMetadata">
<property name="tlsKey" value="shib-idp"/>
</bean>
</constructor-arg>
</bean>

I restarted my app server, but the problem is still there.

Pk.
pkennedy
Dec 28th, 2011, 09:16 PM
Here's the contents of my catalina.out, with log4j logging set to DEBUG for com.springframework.security.saml:

I also verified that the shibboleth IDP's private key matches the cert with alias shib-idp in samlKeystore.jk and in the jre keystore.


- Checking server trust
- Attempting to validate untrusted credential
- Forcing on-demand metadata provider refresh if necessary
- Attempting to retrieve credentials from cache using index: [https://dev148.mycompany.com:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}I DPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protoc ol,UNSPECIFIED]
- Unable to retrieve credentials from cache using index: [https://dev148.mycompany.com:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}I DPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protoc ol,UNSPECIFIED]
- Using customized TLS key null from extended metadata for entityID https://dev148.mycompany.com:8443/idp/shibboleth
- Building credential from keystore entry for entityID shib-idp, usage type UNSPECIFIED
- Processing TrustedCertificateEntry from keystore
- Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.Eval uableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteri a
- No customized signature or encryption keys configured for entityID https://dev148.mycompany.com:8443/idp/shibboleth, using metadata
- Attempting to retrieve credentials from metadata for entity: https://dev148.mycompany.com:8443/idp/shibboleth
- Retrieving metadata for entity 'https://dev148.mycompany.com:8443/idp/shibboleth' in role '{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescr iptor' for protocol 'urn:oasis:names:tc:SAML:2.0:protocol'
- Checking child metadata provider for entity descriptor with entity ID: https://dev148.mycompany.com:8443/idp/shibboleth
- Searching for entity descriptor with an entity ID of https://dev148.mycompany.com:8443/idp/shibboleth
- Found 0 key names: []
- Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data
- Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyV alueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
- Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyV alueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
- Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX 509DataProvider
- Attempting to extract credential from an X509Data
- Found 1 X509Certificates
- Found 0 X509CRLs
- Single certificate was present, treating as end-entity certificate
- Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX 509DataProvider
- A total of 1 credentials were resolved
- Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
- Added new credential collection to cache with key: [https://dev148.mycompany.com:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}I DPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protoc ol,UNSPECIFIED]
- Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.Eval uableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteri a
- Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
- Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.Eval uableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
- Failed to validate untrusted credential against trusted certificate
- Failed to validate untrusted credential against trusted certificate
- Closing the connection.
- Method retry handler returned false. Automatic recovery will not be attempted
- Releasing connection back to connection manager.
- Error when sending request to artifact resolution service.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Peer SSL/TLS certificate is not trusted, add the certificate to your trust store and update tlsKey in extended metadata with the certificate alias
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:632)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
Flyhard
Dec 29th, 2011, 07:41 AM
I have analyzed the formost mentioned problem a little further:

The Certificate that the system tries to validate is the SSL certificate of the IdP, while the available set of certificates contains only the ADFS certificates. I wonder if this is a ADFS setup problem, or a problem of the Spring-saml extension.
pkennedy
Dec 30th, 2011, 05:07 PM
I have analyzed the formost mentioned problem a little further:

The Certificate that the system tries to validate is the SSL certificate of the IdP, while the available set of certificates contains only the ADFS certificates. I wonder if this is a ADFS setup problem, or a problem of the Spring-saml extension.

I fixed my problem by importing, to the SAML2 sample webapp's samlKeystore.jks, the CA cert for the signer of the X509 cert presented by my tomcat instance hosting the Shibboleth IdP webapp to the tomcat instance hosting the SAML2 sample webapp.

I made sure that the alias I chose when importing the CA cert matched that specified in the ExtendedMetadata



<constructor-arg>
<bean class="org.springframework.security.saml.metadata.Extende dMetadata">
<property name="tlsKey" value="tomcat-idp"/>
</bean>
</constructor-arg>


If indeed we are encountering the same issue (I think there's a strong possibility), I would try importing the CA cert of the signer of the ADFS SSL/TLS cert to your Java Keystore, choosing an appropriate alias. Then make sure your ExtendedMetadata refers to this alias, and redeploy/restart.
henrikab
Feb 15th, 2012, 04:42 AM
I fixed my problem by importing, to the SAML2 sample webapp's samlKeystore.jks, the CA cert for the signer of the X509 cert presented by my tomcat instance hosting the Shibboleth IdP webapp to the tomcat instance hosting the SAML2 sample webapp.

I made sure that the alias I chose when importing the CA cert matched that specified in the ExtendedMetadata



<constructor-arg>
<bean class="org.springframework.security.saml.metadata.Extende dMetadata">
<property name="tlsKey" value="tomcat-idp"/>
</bean>
</constructor-arg>


If indeed we are encountering the same issue (I think there's a strong possibility), I would try importing the CA cert of the signer of the ADFS SSL/TLS cert to your Java Keystore, choosing an appropriate alias. Then make sure your ExtendedMetadata refers to this alias, and redeploy/restart.

We actually needed to put the presented SSL key into samlKeystore.jks, name the alias as the tlsKey, and DO NOT add this alias to the key manager. We have registered it as a bug with id SES-106 (https://jira.springsource.org/browse/SES-106)
guydog
Mar 7th, 2013, 09:52 PM
I am having a similar issue to this, but I don't get the underlying certificate trust issue. I am getting the same exception, minus the details about the trusted cert.

I have also followed the steps for the other similar issue described by https://jira.springsource.org/browse/SES-117

I am using the saml2-sample with an ADFS IDP. I followed the IDP setup, added the IDPs signing cert, root ca cert, the idp's cert captured from sslextractor and its root CA into the local samlKeystore. I have also tried to add these individually to the security context:


<bean class="org.springframework.security.saml.metadata.Extende dMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMet adataProvider">
<constructor-arg>
<value type="java.io.File">classpath:security/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<!-- NEEDED FOR ADFS? https://jira.springsource.org/browse/SES-106 -->
<bean class="org.springframework.security.saml.metadata.Extende dMetadata">
<property name="securityProfile" value="metaiop"/>
<property name="tlsKey" value="signingkey" />
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>


I am getting the below stack:


10:29:51,167 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[standalone-node1].[/adx].[default]] (ajp--0.0.0.0-9009-1) Servlet.service() for servlet default threw exception: org.opensaml.common.SAMLRuntimeException: Error decoding incoming SAML message
at org.springframework.security.saml.SAMLProcessingFi lter.attemptAuthentication(SAMLProcessingFilter.ja va:91) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:195) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy. doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:166) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:87) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.saml.metadata.Metadat aGeneratorFilter.doFilter(MetadataGeneratorFilter. java:86) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy. doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:160) [spring-security-web-3.1.2.RELEASE.jar:]
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-3.1.2.RELEASE.jar:]
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:259) [spring-web-3.1.2.RELEASE.jar:]
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:248) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:275) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:161) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.jboss.as.web.security.SecurityContextAssociati onValve.invoke(SecurityContextAssociationValve.jav a:139) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]
at org.jboss.modcluster.catalina.CatalinaContext$Requ estListenerValve.event(CatalinaContext.java:285)
at org.jboss.modcluster.catalina.CatalinaContext$Requ estListenerValve.invoke(CatalinaContext.java:261)
at org.jboss.as.web.NamingValve.invoke(NamingValve.ja va:57) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.coyote.ajp.AjpProcessor.process(AjpProc essor.java:504) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHan dler.process(AjpProtocol.java:442) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at java.lang.Thread.run(Unknown Source) [:1.7.0_09]
Caused by: org.opensaml.ws.message.decoder.MessageDecodingExc eption: Could not decode artifact response message.
at org.springframework.security.saml.websso.ArtifactR esolutionProfileBase.resolveArtifact(ArtifactResol utionProfileBase.java:123) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
at org.opensaml.saml2.binding.decoding.HTTPArtifactDe coderImpl.doDecode(HTTPArtifactDecoderImpl.java:94 ) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
at org.opensaml.ws.message.decoder.BaseMessageDecoder .decode(BaseMessageDecoder.java:79) [openws-1.4.4.jar:]
at org.opensaml.saml2.binding.decoding.BaseSAML2Messa geDecoder.decode(BaseSAML2MessageDecoder.java:70) [opensaml-2.5.3.jar:]
at org.springframework.security.saml.processor.SAMLPr ocessorImpl.retrieveMessage(SAMLProcessorImpl.java :105) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
at org.springframework.security.saml.processor.SAMLPr ocessorImpl.retrieveMessage(SAMLProcessorImpl.java :172) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
at org.springframework.security.saml.SAMLProcessingFi lter.attemptAuthentication(SAMLProcessingFilter.ja va:77) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
... 29 more
Caused by: org.opensaml.ws.message.decoder.MessageDecodingExc eption: Could not find any artifact resolution services in metadata.
at org.springframework.security.saml.util.SAMLUtil.ge tArtifactResolutionService(SAMLUtil.java:182) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
at org.springframework.security.saml.websso.ArtifactR esolutionProfileBase.resolveArtifact(ArtifactResol utionProfileBase.java:82) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
... 35 more



What am I missing? Do these need to be added to the keymanager? Do I even need to specify the tlsKey? If so, should this be the IDP's signing key, or the cert obtained by pointing to the ADFS server using sslextractor?
vsch
Mar 8th, 2013, 01:10 AM
Hi,

This doesn't seem to have anything to do with trust, but rather with bindings enabled by your IDP. The exception says: Could not find any artifact resolution services in metadata. Please verify whether your IDP metadata contains a line similar to:


<ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle"/>

The chances are there's none. In that case you can either configure ADFS to include Artifact binding and update the metadata, or you can use WebSSOProfileOptions and request IDP to use another binding, e.g. HTTP-POST.

Cheers,
Vladi
guydog
Mar 8th, 2013, 11:01 AM
Vladi,

Thanks much for the answer. ADFS was recently configured for the Artifact Resolution, but the metadata was not updated. Also, thanks for your documentation on setting up ADFS.