Oct 12th, 2011, 08:48 AM
Getting error Signature trust establishment failed for metadata entry
I'm trying to integrate with a saml idp and I'm using the spring saml extension. I can get the sample to work fine when the idp is not signing metadata file
when it is signed it fails validation with the following error:
Signature trust establishment failed for metadata entry
Caused by: org.opensaml.saml2.metadata.provider.FilterExcepti on: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.verifySignature(SignatureValidationFi lter.java:311)
at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.processEntityDescriptor(SignatureVali dationFilter.java:176)
at org.opensaml.saml2.metadata.provider.SignatureVali dationFilter.doFilter(SignatureValidationFilter.ja va:154)
at org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider.filterMetadata(AbstractMetadataProvide r.java:482)
at org.opensaml.saml2.metadata.provider.AbstractReloa dingMetadataProvider.processNonExpiredMetadata(Abs tractReloadingMetadataProvider.java:3
I'm struggling to work out what the problem is and could do with some pointers as there is not much documentation.
To give a bit of background:
- I've generated the sp metadata from the application then fed this into our Ping Server (Application that provides Federated SSO) to configure the Service Provider
- Admin team have then generated idp metadata signed for this service provider and I've configured this in the application.
I can't see how the metadatafilter is configured and I'm not sure what missing.
Jan 30th, 2013, 12:11 PM
Did you ever get signed metadata working? I'm implementing this and am having the same problem...
thanks in advance,
Jan 31st, 2013, 02:25 AM
By default SAML Extension tries to verify trust of the signature in metadata with PKIX using all keys found in the configured keystore (bean keyManager, default file security/samlKeystore.jks). So the first thing to do is import the public certificate of the metadata signature (or of it's CA + intermediary CA's) to the keystore. This should make the verification pass unless certificate is e.g. expired.
You can also disable trust checking of the signature by setting property metadataTrustCheck to false on the ExtendedMetadataDelegate bean which includes your IDP metadata. Also, the signature of metadata can be manually removed which will make the system not complain anymore.
Hope this helps,
Feb 4th, 2013, 11:33 AM
Thank-you Vladimir! This helped me get past the signed metadata problem.
Tags for this Thread