Results 1 to 4 of 4

Thread: Getting error Signature trust establishment failed for metadata entry

  1. Oct 12th, 2011, 08:48 AM #1
    panwaskard
    panwaskard is offline Junior Member
    Join Date
    Oct 2011
    Posts
    3

    Default Getting error Signature trust establishment failed for metadata entry

    I'm trying to integrate with a saml idp and I'm using the spring saml extension. I can get the sample to work fine when the idp is not signing metadata file

    when it is signed it fails validation with the following error:

    Signature trust establishment failed for metadata entry
    Caused by: org.opensaml.saml2.metadata.provider.FilterExcepti on: Signature trust establishment failed for metadata entry
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.verifySignature(SignatureValidationFi lter.java:311)
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.processEntityDescriptor(SignatureVali dationFilter.java:176)
    at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.doFilter(SignatureValidationFilter.ja va:154)
    at org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider.filterMetadata(AbstractMetadataProvide r.java:482)
    at org.opensaml.saml2.metadata.provider.AbstractReloa dingMetadataProvider.processNonExpiredMetadata(Abs tractReloadingMetadataProvider.java:3

    I'm struggling to work out what the problem is and could do with some pointers as there is not much documentation.

    To give a bit of background:

    - I've generated the sp metadata from the application then fed this into our Ping Server (Application that provides Federated SSO) to configure the Service Provider
    - Admin team have then generated idp metadata signed for this service provider and I've configured this in the application.

    I can't see how the metadatafilter is configured and I'm not sure what missing.
    Reply With Quote Reply With Quote
  2. Jan 30th, 2013, 12:11 PM #2
    md10024
    md10024 is offline Member
    Join Date
    Mar 2008
    Location
    Portland OR
    Posts
    44

    Default

    Did you ever get signed metadata working? I'm implementing this and am having the same problem...

    thanks in advance,
    Mark
    Reply With Quote Reply With Quote
  3. Jan 31st, 2013, 02:25 AM #3
    vsch
    vsch is offline Senior Member
    Join Date
    Feb 2009
    Location
    Helsinki
    Posts
    152

    Default

    Hi,

    By default SAML Extension tries to verify trust of the signature in metadata with PKIX using all keys found in the configured keystore (bean keyManager, default file security/samlKeystore.jks). So the first thing to do is import the public certificate of the metadata signature (or of it's CA + intermediary CA's) to the keystore. This should make the verification pass unless certificate is e.g. expired.

    You can also disable trust checking of the signature by setting property metadataTrustCheck to false on the ExtendedMetadataDelegate bean which includes your IDP metadata. Also, the signature of metadata can be manually removed which will make the system not complain anymore.

    Hope this helps,
    Vladimír Schäfer
    Reply With Quote Reply With Quote
  4. Feb 4th, 2013, 11:33 AM #4
    md10024
    md10024 is offline Member
    Join Date
    Mar 2008
    Location
    Portland OR
    Posts
    44

    Default

    Thank-you Vladimir! This helped me get past the signed metadata problem.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules