I'm using opensaml 2.6.1 and spring-security-saml2-core 1.0.1 in some project to enable SSO. I'm using a self signed certificate for encryption and signature.
When my service provider received the SAML response, I'm getting the following error:
DEBUG [org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object
DEBUG [org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
DEBUG [org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
DEBUG [org.opensaml.xml.signature.SignatureValidator] Signature validated with key from supplied credential
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate credential was successful
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Successfully verified signature using KeyInfo-derived credential
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Attempting to establish trust of KeyInfo-derived credential
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to establish trust of KeyInfo-derived credential
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Attempting to verify signature using trusted credentials
DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Failed to verify signature using either KeyInfo-derived or directly trusted credentials
DEBUG [org.springframework.security.saml.websso.WebSSOProfileConsumerImpl] Validation of authentication statement in assertion failed, skipping
org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid
at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:272)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:292)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at
What i have understand from exception messageis :
- the signature verification is succesful
- There is an issue when trusting my certificat Are my assupmtions corrects?
I have imported my self signed certificate to my keystore (cacerts store in the JVM) using the following command:
keytool -importcert -trustcacerts -file "myCcert.crt" -keystore "C:\Program Files\Java\jdk1.8.0_65\jre\lib\security\cacerts" -storepass changeit -alias test
Dosen't this command import my certif and mark it as trusted by java?
Another thing,can java trust a self signed signature or I must get a certificate validate by a CA to pass the validation?
Spring SAML doesn't use cacerts for trust verification, but its dedicated keystore (samlKeystore.jks in the sample application). Please read the Spring SAML manual's chapter about certificate management for details.