I have used spring-security-saml2 plugin to establish sso between tomcat web application and ADFS server. I am trying to achieve the same in a web application deployed in IBM Websphere Application Server 7.
I created a custom keystore in IBM WAS and used that to enable SSL on WAS. The personal certificate of keystore is used in application securityContext.xml to sign the metadata and the signer certificate in imported in ADFS server. The ADFS server certificate is imported as signer certificate into WAS keystore. I am able to send authentication request to ADFS server and also able to view the response in logs. But getting following error in decoding on the screen.
Error 401: Authentication Failed: Error decoding incoming SAML message
And in logs:
29-09-2015 15:06:25,722 DEBUG org.opensaml.ws.message.decoder.BaseMessageDecoder:85 - Successfully decoded message.
29-09-2015 15:06:25,722 DEBUG org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:191 - Checking SAML message intended destination endpoint against receiver endpoint
29-09-2015 15:06:25,722 DEBUG org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:203 - SAML message intended destination endpoint in message was empty, not required by binding, skipping
29-09-2015 15:06:25,723 DEBUG org.springframework.security.saml.websso.WebSSOProfileImpl:109 - No inbound message in artifact response message.
29-09-2015 15:06:25,724 DEBUG org.springframework.security.saml.websso.WebSSOProfileImpl:122 - Could not decode artifact response message.
org.opensaml.ws.message.decoder.MessageDecodingException: No inbound message in artifact response message.
at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:110)
at org.opensaml.saml2.binding.decoding.HTTPArtifactDecoderImpl.doDecode(HTTPArtifactDecoderImpl.java:94)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
In ADFS server logs following error is coming.
The artifact resolution request failed.
Additional Data
Exception message:
MSIS3015: The signing certificate of the claims provider trust '+++++++++++++++++++++' identified by thumbprint '#################' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
Can somebody help me in resolving the issue.
I used Websphere SAML TAI to establish SSO with ADFS. Some links I did refer are developerworks and techblog