I am trying to implement a SAML Request Assertion Consumer Service (RACS) with Apache CXF 2.7.7
Unfortunately the response of my Identity Provider does not include a keyInfo (which is defined optional in the SAML specification).
This leads to an exception when processing the response, because CXF tries to load a DOM for the keyInfo.
java.lang.NullPointerException
at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
I have a valid keystore.properties file as well as the certificate on my RACS site, but this does not chage the behaviour. Is this a bug in CXF or did I miss something to set up for my RACS?
After discussing this problem in the CXF Mailing List, we found out, that it is a bug in CXF Framework. A new issue was created here
Sending the KeyInfo in a SAML Request is optional (see Specification Section 5.4.5).
Currently there is no easy workaround available.