Results 1 to 2 of 2

Thread: Problem with IDP integration

  1. Feb 22nd, 2013, 03:36 PM #1
    roboto
    roboto is offline Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Default Problem with IDP integration

    I am trying to integrate IDP that is implemented by James Cox with spring security extension. Project could be found here http://spring-saml.svn.sourceforge.net/

    I have changed code, so that IDP reads public key from keystore (I have imported IDP certificate to SP keystore and viceversa).

    AuthnRequest sent is from spring SP, and it's signature is properly validated on James IDP. But problem arise when IDP sends Response to SP. SP cannot validate message signature.

    Anyone have a clue?

    Also to note

    While executing following method, validate method always returns false, because there is no credentals!
    org.opensaml.xml.security.trust.ExplicitKeyTrustEv aluator.validate(Credential, Iterable<Credential>)

    Code:
        public boolean validate(Credential untrustedCredential, Iterable<Credential> trustedCredentials) {

        for (Credential trustedCredential : trustedCredentials) {
            if (validate(untrustedCredential, trustedCredential)) {
                return true;
            }
        }
        return false;
    }

    Bellow is stacktrace


    Code:
    2013-02-22 22:04:45,722 DEBUG: org.opensaml.xml.security.SigningUtil - Verifying signature over input using public key of type RSA and JCA algorithm ID SHA1withRSA
2013-02-22 22:04:46,486 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Successfully verified signature using supplied candidate credential
2013-02-22 22:04:47,022 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Attempting to establish trust of supplied candidate credential
2013-02-22 22:04:59,082 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Failed to establish trust of supplied candidate credential
2013-02-22 22:05:20,340 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Attempting to verify signature using trusted credentials
2013-02-22 22:05:25,212 DEBUG: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Failed to verify signature using either supplied candidate credential or directly trusted credentials
2013-02-22 22:05:40,829 WARN : org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule - Signature validation using request-derived credentials failed
Feb 22, 2013 10:05:45 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [/spring-security-saml2-sample] threw exception
org.opensaml.common.SAMLRuntimeException: Incoming SAML message is invalid
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:93)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:184)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:155)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:78)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:184)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:155)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
	at java.lang.Thread.run(Thread.java:722)
Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of request simple signature failed for context issuer
	at org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule.doEvaluate(BaseSAMLSimpleSignatureSecurityPolicyRule.java:139)
	at org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule.evaluate(BaseSAMLSimpleSignatureSecurityPolicyRule.java:103)
	at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
	at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
	at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
	at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
	at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
	at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)
	... 29 more

2013-02-22 22:05:45,058 WARN : org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule - Validation of request simple signature failed for context issuer: idp
2013-02-22 22:05:45,058 DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2013-02-22 22:05:45,058 DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    Last edited by roboto; Feb 22nd, 2013 at 04:09 PM.
    Reply With Quote Reply With Quote
  2. Feb 22nd, 2013, 04:29 PM #2
    roboto
    roboto is offline Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Default

    Ok. I have solved problem with message signing. In the IDP.XML i forgot to set entityID to my ID.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules