Signature did not validate against the credential's key

[mls]

I have the sample application working with SSO Circle and am trying to get it working with AD FS 2.0. For now I am using the sample keystore, samlKeystore.jks. On AD FS, I created a self-signed certificate. AD FS shows 3 certificates for Service communications, token-decrypting and token-signing. I imported the Service communications certificate into samlKeystore.jks.

AD FS receives the AuthNRequest ok. I login and recieve "Validation of protocol message signature failed". The application's INFO log shows:

SAML protocol message was not signed, skipping XML signature processing
Signature verification failed.

A DEBUG log shows:

Signature validated with key from supplied credential
Signature validation using candidate credential was successful
Successfully verified signature using KeyInfo-derived credential
Attempting to establish trust of KeyInfo-derived credential
Failed to validate untrusted credential against trusted key
Failed to establish trust of KeyInfo-derived credential
Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
Attempting to verify signature using trusted credentials
Attempting to validate signature using key from supplied credential
Creating XMLSignature object
Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
SignatureMethodURI = http://www.w3.org/2000/09/xmldsig#rsa-sha1
jceSigAlgorithm = SHA1withRSA
jceSigProvider = SunRsaSign
PublicKey = Sun RSA public key, 2048 bits
modulus: ...
public exponent: 65537
Canonicalized SignedInfo:...
Signature verification failed.
Signature did not validate against the credential's key
Signature validation using candidate validation credential failed
Failed to verify signature using either KeyInfo-derived or directly trusted credentials

I tried importing the AD FS signing certificate into the keystore and changing the signingKey in SP metadata from apollo to the alias I used when importing the signing certificate. That fails earlier.

Some questions are:
Is it ok to use a self-signed certificate on the AD FS server?
What should I import to samlKeystore.jks?

Any insights into this problem are MUCH appreciated.

Mark

[mls]

I no longer have the above problem. I installed a real certificate and re-downloaded IDP metadata. The debug log now shows:

SAML message intended destination endpoint matched recipient endpoint
Authentication attempt using org.springframework.security.saml.SAMLAuthenticati onProvider
Received response has invalid status code
Marshalling message
Marshalling message
AuthNResponse;FAILURE;...

Mark

[vsch]

Hi Mark,

The SAML Extension manual contains a step-by-step guide on how to setup federation with ADFS in chapter 6.1. It might contain some step which was omitted in your setup. As the ADFS is replying with a non-success status code there should be some reason for it logged on the ADFS side, you should check its logs.

Vladimír Schäfer

[mls]

Thanks Vladimir, it is working now with AD FS. One thing I had to do was replace the jce policy files as described in http://blog.rampartfaq.com/2009/08/f...exception.html. Thanks for a great product, great packaging and great code that helps resolving problems.

Mark

[vsch]

I'm glad you got it working. The mention of updating the cryptography settings will get included in the manual.

Vladi