Trust problem

[henrikab]

Hi,

Im new to the SAML extention of spring security, and am facing a strange problem in the development environment.
We have set up a Windows 2008r2 server with AD FS 2.0
We use OpenSAML 2.5.2, springsecurity_3.0.7 and the latest build of springsecurity SAML with commit hash: 5b431458626222d96316aff8cbcea76cdc915a2e

We have added the CA cert from the server to both the jre keystore, aswell as the project keystore.

The problem we face is on the return from the IDP.

We have looked into the X509TrustManager, and seen that it handles the server credentials and certificate.

So what we dont quite get, is what causes the CertificateException.

Code:

org.opensaml.common.SAMLRuntimeException: Error decoding incoming SAML message
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:91)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:70)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.qmplus.common.util.datasource.DataSourceFilter.doFilter(DataSourceFilter.java:85)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:303)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:183)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:169)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:311)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: Could not decode artifact response message.
	at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:123)
	at org.opensaml.saml2.binding.decoding.HTTPArtifactDecoderImpl.doDecode(HTTPArtifactDecoderImpl.java:94)
	at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:75)
	at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:69)
	at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
	at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:79)
	... 37 more
Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: Error when sending request to artifact resolution service.
	at org.springframework.security.saml.websso.ArtifactResolutionProfileImpl.getArtifactResponse(ArtifactResolutionProfileImpl.java:108)
	at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:98)
	... 43 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Peer SSL/TLS certificate is not trusted, add the certificate to your trust store and update tlsKey in extended metadata with the certificate alias
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
	at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506)
	at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
	at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
	at org.springframework.security.saml.websso.ArtifactResolutionProfileImpl.getArtifactResponse(ArtifactResolutionProfileImpl.java:96)
	... 44 more
Caused by: java.security.cert.CertificateException: Peer SSL/TLS certificate is not trusted, add the certificate to your trust store and update tlsKey in extended metadata with the certificate alias
	at org.springframework.security.saml.trust.X509TrustManager.checkServerTrusted(X509TrustManager.java:79)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1198)
	... 61 more

[pkennedy]

I'm encountering the same issue. Using /usr/java/default/bin/keytool I added the contents of idp.crt file to samlKeystore.jks and to /usr/java/default/jre/lib/security/cacerts, using the alias 'shib-idp', and trusting the cert on import.

I also updated my sample web app's securityContext.xml to contain a reference to the 'shib-idp' alias in ExtendedMetadata:

<bean class="org.springframework.security.saml.metadata. ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.Filesy stemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:security/idp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata. ExtendedMetadata">
<property name="tlsKey" value="shib-idp"/>
</bean>
</constructor-arg>
</bean>

I restarted my app server, but the problem is still there.

Pk.

[pkennedy]

Here's the contents of my catalina.out, with log4j logging set to DEBUG for com.springframework.security.saml:

I also verified that the shibboleth IDP's private key matches the cert with alias shib-idp in samlKeystore.jk and in the jre keystore.

Code:

- Checking server trust
- Attempting to validate untrusted credential
- Forcing on-demand metadata provider refresh if necessary
- Attempting to retrieve credentials from cache using index: [https://dev148.mycompany.com:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,UNSPECIFIED]
- Unable to retrieve credentials from cache using index: [https://dev148.mycompany.com:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,UNSPECIFIED]
- Using customized TLS key null from extended metadata for entityID https://dev148.mycompany.com:8443/idp/shibboleth
- Building credential from keystore entry for entityID shib-idp, usage type UNSPECIFIED
- Processing TrustedCertificateEntry from keystore
- Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
- No customized signature or encryption keys configured for entityID https://dev148.mycompany.com:8443/idp/shibboleth, using metadata
- Attempting to retrieve credentials from metadata for entity: https://dev148.mycompany.com:8443/idp/shibboleth
- Retrieving metadata for entity 'https://dev148.mycompany.com:8443/idp/shibboleth' in role '{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor' for protocol 'urn:oasis:names:tc:SAML:2.0:protocol'
- Checking child metadata provider for entity descriptor with entity ID: https://dev148.mycompany.com:8443/idp/shibboleth
- Searching for entity descriptor with an entity ID of https://dev148.mycompany.com:8443/idp/shibboleth
- Found 0 key names: []
- Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data
- Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
- Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
- Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
- Attempting to extract credential from an X509Data
- Found 1 X509Certificates
- Found 0 X509CRLs
- Single certificate was present, treating as end-entity certificate
- Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
- A total of 1 credentials were resolved
- Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
- Added new credential collection to cache with key: [https://dev148.mycompany.com:8443/idp/shibboleth,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,UNSPECIFIED]
- Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
- Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
- Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
- Failed to validate untrusted credential against trusted certificate
- Failed to validate untrusted credential against trusted certificate
- Closing the connection.
- Method retry handler returned false. Automatic recovery will not be attempted
- Releasing connection back to connection manager.
- Error when sending request to artifact resolution service.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Peer SSL/TLS certificate is not trusted, add the certificate to your trust store and update tlsKey in extended metadata with the certificate alias
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)

[Flyhard]

I have analyzed the formost mentioned problem a little further:

The Certificate that the system tries to validate is the SSL certificate of the IdP, while the available set of certificates contains only the ADFS certificates. I wonder if this is a ADFS setup problem, or a problem of the Spring-saml extension.

[pkennedy]

I have analyzed the formost mentioned problem a little further:

The Certificate that the system tries to validate is the SSL certificate of the IdP, while the available set of certificates contains only the ADFS certificates. I wonder if this is a ADFS setup problem, or a problem of the Spring-saml extension.

I fixed my problem by importing, to the SAML2 sample webapp's samlKeystore.jks, the CA cert for the signer of the X509 cert presented by my tomcat instance hosting the Shibboleth IdP webapp to the tomcat instance hosting the SAML2 sample webapp.

I made sure that the alias I chose when importing the CA cert matched that specified in the ExtendedMetadata

Code:

             
                    <constructor-arg>
                        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                            <property name="tlsKey" value="tomcat-idp"/>
                        </bean>
                    </constructor-arg>

If indeed we are encountering the same issue (I think there's a strong possibility), I would try importing the CA cert of the signer of the ADFS SSL/TLS cert to your Java Keystore, choosing an appropriate alias. Then make sure your ExtendedMetadata refers to this alias, and redeploy/restart.

[henrikab]

I fixed my problem by importing, to the SAML2 sample webapp's samlKeystore.jks, the CA cert for the signer of the X509 cert presented by my tomcat instance hosting the Shibboleth IdP webapp to the tomcat instance hosting the SAML2 sample webapp.

I made sure that the alias I chose when importing the CA cert matched that specified in the ExtendedMetadata

Code:

             
                    <constructor-arg>
                        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                            <property name="tlsKey" value="tomcat-idp"/>
                        </bean>
                    </constructor-arg>

If indeed we are encountering the same issue (I think there's a strong possibility), I would try importing the CA cert of the signer of the ADFS SSL/TLS cert to your Java Keystore, choosing an appropriate alias. Then make sure your ExtendedMetadata refers to this alias, and redeploy/restart.

We actually needed to put the presented SSL key into samlKeystore.jks, name the alias as the tlsKey, and DO NOT add this alias to the key manager. We have registered it as a bug with id SES-106

[guydog]

I am having a similar issue to this, but I don't get the underlying certificate trust issue. I am getting the same exception, minus the details about the trusted cert.

I have also followed the steps for the other similar issue described by https://jira.springsource.org/browse/SES-117

I am using the saml2-sample with an ADFS IDP. I followed the IDP setup, added the IDPs signing cert, root ca cert, the idp's cert captured from sslextractor and its root CA into the local samlKeystore. I have also tried to add these individually to the security context:

Code:

                <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                    <constructor-arg>
                        <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                            <constructor-arg>
                                <value type="java.io.File">classpath:security/FederationMetadata.xml</value>
                            </constructor-arg>
                            <property name="parserPool" ref="parserPool"/>
                        </bean>
                    </constructor-arg>
                    <constructor-arg>
<!-- NEEDED FOR ADFS?  https://jira.springsource.org/browse/SES-106 -->	
						<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
							<property name="securityProfile" value="metaiop"/>
							<property name="tlsKey" value="signingkey" />
						</bean>
                    </constructor-arg>
					<property name="metadataTrustCheck" value="false"/>
                </bean>

I am getting the below stack:

Code:

10:29:51,167 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[standalone-node1].[/adx].[default]] (ajp--0.0.0.0-9009-1) Servlet.service() for servlet default threw exception: org.opensaml.common.SAMLRuntimeException: Error decoding incoming SAML message
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:91) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.1.2.RELEASE.jar:]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-3.1.2.RELEASE.jar:]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [spring-web-3.1.2.RELEASE.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:139) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]
	at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event(CatalinaContext.java:285)
	at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invoke(CatalinaContext.java:261)
	at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:504) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:442) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
	at java.lang.Thread.run(Unknown Source) [:1.7.0_09]
Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: Could not decode artifact response message.
	at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:123) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	at org.opensaml.saml2.binding.decoding.HTTPArtifactDecoderImpl.doDecode(HTTPArtifactDecoderImpl.java:94) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) [openws-1.4.4.jar:]
	at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) [opensaml-2.5.3.jar:]
	at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	... 29 more
Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: Could not find any artifact resolution services in metadata.
	at org.springframework.security.saml.util.SAMLUtil.getArtifactResolutionService(SAMLUtil.java:182) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:82) [spring-security-saml2-core-1.0.0-RC2-SNAPSHOT.jar:]
	... 35 more

What am I missing? Do these need to be added to the keymanager? Do I even need to specify the tlsKey? If so, should this be the IDP's signing key, or the cert obtained by pointing to the ADFS server using sslextractor?

[vsch]

Hi,

This doesn't seem to have anything to do with trust, but rather with bindings enabled by your IDP. The exception says: Could not find any artifact resolution services in metadata. Please verify whether your IDP metadata contains a line similar to:

Code:

<ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle"/>

The chances are there's none. In that case you can either configure ADFS to include Artifact binding and update the metadata, or you can use WebSSOProfileOptions and request IDP to use another binding, e.g. HTTP-POST.

Cheers,
Vladi

[guydog]

Vladi,

Thanks much for the answer. ADFS was recently configured for the Artifact Resolution, but the metadata was not updated. Also, thanks for your documentation on setting up ADFS.