SAML Sample code and ssoCircle metadata import

[minton]

I am trying to get the spring-security-saml2-sample.war working and am following the instructions in the docbkx\manual.xml. I am at this point:

<para>Copy content of the Metadata textarea to your clipboard.</para>
<para>Register yourself at www.ssocircle.com</para>
<para>TODO import metadata</para>

Now, I copy the contents of the metadata text area and at SSOCircle, I log in, select Manage Metadata, and then enter my FQDN of localhost (I do not have a FQDN reachable from the internet) and then post the metadata information in the appropriate textbox and submit it. I get an error back saying:

Your data could not be imported

Reason:

Certificate found in Signature or KeyDescriptor under element "EntityDescriptor" is not trusted.


Am I missing a step somewhere? Do I need to upload a certificate used in the signature to SSOCircle using the "My Certificate Enrollment" option in SSOCircle?

I tried using the manual enrollment page and creating a PKCS#10 Certificate Signing Request using the apollo alias in the sample jks, but it didn't like it. It said that "The Subject of the Certificate Signing Request is not valid. It must look like CN=<your ssocircle username>,E=<your username>@ssocircle.com,O=ssocircle,C=DE". I could not see how to create this using the keytool (no option for the E).

What am I not understanding? Is there some documentation somewhere that I am missing that I could use to better understand the process?

[minton]

I think I may be looking at the wrong thing in looking at the "My Certificate Enrollment" in SSOCircle. It is my understanding that it will get you a certificate signed by them. I'm not sure that would help in getting the sample code working as is.

How do I get SSOCircle to trust the certificate in the metadata? I'm assuming it is because it is self-signed.

[minton]

And I'm still confused by the requirement of an E in the subject of the PKCS#10 because that does not appear anywhere in the standard, that I can find. Nor will keytool or openssl let me add it.

[janep]

You might remove the signature in the metadata. This will help you to go forward.
The E attribute is used for email addresses.

[minton]

Thank you! That did correct the problem.

For anyone else facing this problem, when you generate the Metadata, set the Sign metadata option to No before generating.

As for the E attribute being used for email addresses, what would you use to generate the PKCS#10 request? Neither keytool or openssl appears to support it. Openssl did allow for an email address, but it didn't use the E attribute.

[minton]

Although not signing the metadata did get me past that problem, I immediately ran into another problem that I have been unable to solve. I follow all the instructions of sending the metadata to SSOCircle and see it listed in the Service Provider Metadata list, store the metadata in mysystemname_sp.xml, and modify bean "metadata" in my securityContext.xml to include the content from the generated configuration.

I restart TomCat, select "http://idp.ssocircle.com" on the IDP Selection page, click Login, and get:
Error occured

Reason: The SAML Request is invalid.

There is no other error that I can find. I have tried using SSOCircle's SAML decoder, but all I get from it is, "Not able to decode". Not very helpful, either.

Turning on Java logging help by providing what it is sending, but I am still not sure what is missing. This is the request:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol " Assertion ConsumerServiceURL="http://dcw00160548w7.ad.mydomain.com:8080/spring-security-saml2-sample/saml/SSO/alias/defaultAlias" Destination="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle" ForceAuthn="false" ID="a1f1ie5gif5cca4g3bb77c328h9fa7g" IsPassive="false" IssueInstant="2012-11-06T21:00:14.632Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindi ngs:HTTP-Artifact" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion ">http://dcw00160548w7.ad.mydomain.com:8080/spring-security-saml2-sample/saml/metadata/alias/defaultAlias</saml2:Issuer>
</saml2p:AuthnRequest>

Does anyone have any ideas on what it doesn't like now?

[md10024]

Reason: The SAML Request is invalid.

I'm getting this same error message, did you ever find a solution for this?

[vsch]

SSOCircle has troubles with the IDP Discovery extension which is included by default in auto-generated metadata.

You can either update to the current trunk where auto-generated metadata doesn't include the discovery extension by default anymore or add property includeDiscovery=false to MetadataGenerator class in your securityContext.

Current trunk also contains next iteration of the manual which has the quick-start-guide TODOs filled in.

[md10024]

I'm getting this same error message, did you ever find a solution for this?

I discovered my problem, it was just related to the use of in memory metadata. Once I got the conflicts sorted out everything worked as expected.