I am using the SAML Spring Sample with a company's ADFS idp. The produced metadata works against SSOCircle but it does not with ADFS, the error message I get is the following:
Attempting to verify signature using trusted credentials
Attempting to validate signature using key from supplied credential
Creating XMLSignature object
Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
Signature verification failed.
Signature did not validate against the credential's key
Signature validation using candidate validation credential failed
rg.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
My security metadata configuration is:
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/whatever_sp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg ref="extendedMetadataSP" />
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/ADFSfederationMetadata.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg ref="extendedMetadataIDP" />
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/ssoCircleIdp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg ref="extendedMetadataIDP" />
<property name="metadataTrustCheck" value="false"/>
</bean>
</list>
</constructor-arg>
</bean>
</bean>
<!-- Extended metadata properties -->
<bean id="extendedMetadataSP" class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="signMetadata" value="false" />
<property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
</bean>
The SAML response I get back from ADFS is the following:
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://localhost:8443/s
pring-security-saml2-sample/saml/SSO" ID="_58365a14-2ed8-4d68-8e8e-fe72618c82d9" InResponseTo="afj64ji85gba3991249die24d5eiii" IssueInstant="2016-07-28T11:00:18.094Z" Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[MYIDP]</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_58365a14-2ed8-4d68-8e8e-fe72618c82d9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>eUzL1nPviOFVEi6A/XcplZJR3gBpg/gXWdtK/37iNCk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>P+O4GMaYLrBnB/QkqTWI/b1ju3OShaJXPgMUWlTUdxGfcXLCBukmBO+pUH3V5F71f6G0qcYihGkXisVnk+kYrJ+ieGSAl4CgLok32OXVrafEAD9NVGCideabiJSr7MHBc1bWmlWBMJxPeYBDcH5e1+b/4uFwG3HBs6AHiDObVWZ97mQ
5ZnqwuS2m9zfunVKtAJOS1l3JkhXIBqU3OGD9fAriIMFxc+RygAZxbIq4pvXqSD4mP7aB6UlWE7jdcr5R+CmxmDWBEcQgjCSiAWUGQoEOC4EXkRXWc//3TEOjD19mMn4nepJA3Ko6jJfObS0peXfQKKhz3ink0lEbm1qCgA==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIF1DCCBLygAwIBAgIQbhhm1o92bv+YAd21fED0rDANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5D
LjEpMCcGA1UEAxMgTmV0d29yayBTb2x1dGlvbnMgT1YgU2VydmVyIENBIDIwHhcNMTQxMDI5MDAwMDAwWhcNMTgwMTAzMjM1OTU5WjCB8DELMAkGA1UEBhMCR0IxETAPBgNVBBETCEJTMzcgNUhaMQ0wCwYDVQQIEwRBdm9uMRAwDgYDVQQHEwdCcmlzdG9sMQ0wCwYD
VQQJEwRZYXRlMRUwEwYDVQQJEwxTdGF0aW9uIFJvYWQxHzAdBgNVBAkTFlVuaXQgMSBCYWRtaW50b24gQ291cnQxGzAZBgNVBAoTEkFQQUsgR3JvdXAgTGltaXRlZDELMAkGA1UECxMCSVQxITAfBgNVBAsTGFNlY3VyZSBMaW5rIFNTTCBXaWxkY2FyZDEZMBcGA1UE
AxQQKi5zd29yZC1hcGFrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANlGeYyoUeZj2QwtmjfpZzZy0IRZLK4aBeaQw4uwevLyJMOBaPTFWXj6aEDmr9kEcKiSUhcbSFSltvS/e88Vh5ZxrL2X75g5kUzgCAw9lY6aTYEAEpFm7pix47YIgJsPf1VM
wtVbw4MBrDnVYoC/kuXZ7okeglYPnv4TtmSRSq5MF2+HRs/Fhv8JtDl0bt/Tz9//vyi48S7KAeaPSqvVxZ7qyHov7FLCRspjGY9JuuI/uEGv2+ohaDYmnhyLFeaSfHPotg0gWTAowblUSigtk/6CAH2lUfKopPGvAE/egR79vPofaNxHooaZuxnPQ6ylW3dwcDK67Ve1
BS1QvLO3nXkCAwEAAaOCAd0wggHZMB8GA1UdIwQYMBaAFCAzzbdh9qWGT9zJ13NqvApRZZjsMB0GA1UdDgQWBBTTLIw41beIX7xgjN5kHorN+6Ib2jAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYD
VR0gBG4wbDBgBgwrBgEEAYYOAQIBAwEwUDBOBggrBgEFBQcCARZCaHR0cDovL3d3dy5uZXR3b3Jrc29sdXRpb25zLmNvbS9sZWdhbC9TU0wtbGVnYWwtcmVwb3NpdG9yeS1jcHMuanNwMAgGBmeBDAECAjBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLm5ldHNv
bHNzbC5jb20vTmV0d29ya1NvbHV0aW9uc09WU2VydmVyQ0EyLmNybDB7BggrBgEFBQcBAQRvMG0wRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zT1ZTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC5uZXRzb2xzc2wuY29tMBsGA1UdEQQUMBKCECouc3dvcmQtYXBhay5jb20wDQYJKoZIhvcNAQELBQADggEBADXCuYBzSLijLp8gQjkHl2NGb7VahaJTV4jD/pM0CV+6ERk5o7W6ufFH+ok7vONlukdQxT67GzEFnl7S+WgTxOTbYBQs4xMRsnY7G44yBLEtTjlw5UlN
kKPJXNnfFhrAy260sV5cqtP+hclNZ3TLTadwYVqdvv9D53aWP2gjZVE4RpUhI1DM0z9zk7FP7PyYsuhkILSwMst/YoPBOgs6C7/3nuMTh4IqCcYowSgcNdBiY8Vm+M5X6v/PqkPBvVPvE8s8xxrIfFIyNT4VdvKz1UGuT+yeI+4N3oeou3mCD0ENstzjxkRgPGOQbm45
2rlKIhki4ep90winKO4EectPUCM=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
</samlp:Status>
</samlp:Response>
My SP metadata is:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="[blah]" entityID="[blah]"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIESm9pPTANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVSzEQMA4GA1UE
CBMHQnJpc3RvbDENMAsGA1UEBxMEWWF0ZTEOMAwGA1UEChMFU3dvcmQxDTALBgNVBAsTBEFwYWsx
EzARBgNVBAMTCkZpcnN0IExhc3QwIBcNMTYwMTE0MTUzMjE4WhgPMjI4OTEwMjgxNTMyMThaMGIx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMQ0wCwYDVQQHEwRZYXRlMQ4wDAYDVQQKEwVT
d29yZDENMAsGA1UECxMEQXBhazETMBEGA1UEAxMKRmlyc3QgTGFzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKyy2k8uLwA2sLMDV7AbqNzq8vh3n+FwxQiBFnly8EY1TbBmFa6I2u0L
1scYeGh/DudAWhj4nqhY2r44Q4GdmKvxGGFMKlrxDbzL3sfWW+OepwU25vd+wUk1OKxoYuK0cNmK
u3HkMgbXjTf4zLTuHSVuGXBh2p1cONTJVQYXzo8JqNSWRe5cmbqeESmzxsfctvv1/nfo5CHOuI6A
ol5R818d86SSGD1VADDmsSLTnw1GxTlzsp2637/0AIp119qamdBlmV6rl4MLcornWGnMDtHeN0iK
Q1x5Y9z9wVxr2Mz+PWUQP7qzlpr3mFwIRiFjCKpkHjfVOEHu+lRncaaPqhsCAwEAAaMhMB8wHQYD
VR0OBBYEFPe7nLb+sAec0J4f9cFj1Z3Q+zqvMA0GCSqGSIb3DQEBCwUAA4IBAQB28cgzoItNYtNp
LxvcRi/Y6aSkY/U+3uxke5GiEqMdsA7k+tn1ut7AcmmJnWQee7UjJJECwSxLHm2NIi9oukYtJi5R
lLjMMxWapREVg65HFZtH3HobkppOInQPxPxxKX1f0IdbAXthO5e8pYdTNVCRtLAXU0djPJFIwmhS
YgD2iyfHOOCX6BxjXiE9aYsykUH+S8PyFoIic9bbPziufTNW+Sa01kPzN6RYe4SukOXfvVlmR0eU
vvlyq9mAnAYVqbWUmYQkn+gokAxE/Uj4sACx75uzPx29VyiehQfkw5GgCDQMV6iXzRgLZThFp9+w
mYOs8uZDgNIFC/gFI6JeVdvh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIESm9pPTANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVSzEQMA4GA1UE
CBMHQnJpc3RvbDENMAsGA1UEBxMEWWF0ZTEOMAwGA1UEChMFU3dvcmQxDTALBgNVBAsTBEFwYWsx
EzARBgNVBAMTCkZpcnN0IExhc3QwIBcNMTYwMTE0MTUzMjE4WhgPMjI4OTEwMjgxNTMyMThaMGIx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMQ0wCwYDVQQHEwRZYXRlMQ4wDAYDVQQKEwVT
d29yZDENMAsGA1UECxMEQXBhazETMBEGA1UEAxMKRmlyc3QgTGFzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKyy2k8uLwA2sLMDV7AbqNzq8vh3n+FwxQiBFnly8EY1TbBmFa6I2u0L
1scYeGh/DudAWhj4nqhY2r44Q4GdmKvxGGFMKlrxDbzL3sfWW+OepwU25vd+wUk1OKxoYuK0cNmK
u3HkMgbXjTf4zLTuHSVuGXBh2p1cONTJVQYXzo8JqNSWRe5cmbqeESmzxsfctvv1/nfo5CHOuI6A
ol5R818d86SSGD1VADDmsSLTnw1GxTlzsp2637/0AIp119qamdBlmV6rl4MLcornWGnMDtHeN0iK
Q1x5Y9z9wVxr2Mz+PWUQP7qzlpr3mFwIRiFjCKpkHjfVOEHu+lRncaaPqhsCAwEAAaMhMB8wHQYD
VR0OBBYEFPe7nLb+sAec0J4f9cFj1Z3Q+zqvMA0GCSqGSIb3DQEBCwUAA4IBAQB28cgzoItNYtNp
LxvcRi/Y6aSkY/U+3uxke5GiEqMdsA7k+tn1ut7AcmmJnWQee7UjJJECwSxLHm2NIi9oukYtJi5R
lLjMMxWapREVg65HFZtH3HobkppOInQPxPxxKX1f0IdbAXthO5e8pYdTNVCRtLAXU0djPJFIwmhS
YgD2iyfHOOCX6BxjXiE9aYsykUH+S8PyFoIic9bbPziufTNW+Sa01kPzN6RYe4SukOXfvVlmR0eU
vvlyq9mAnAYVqbWUmYQkn+gokAxE/Uj4sACx75uzPx29VyiehQfkw5GgCDQMV6iXzRgLZThFp9+w
mYOs8uZDgNIFC/gFI6JeVdvh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/spring-security-saml2-sample/saml/SingleLogout"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/spring-security-saml2-sample/saml/SingleLogout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/spring-security-saml2-sample/saml/SSO" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/spring-security-saml2-sample/saml/SSO" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>
Please notice I haven't modified the samlKeystore.jks. I am not sure what I am doing wrong, can someone explain me please?
As I mentioned earlier the same SP uploaded to SSOCircle works just fine. In ADFS instead I get the signature problem.
ADFS requires sha256, in fact I have also tried to implement the SAMLBootstrap with a CustomSAMLBootstrap setting the algorithm there, still no luck. I am really stuck and clueless, please help!
ADFS requires sha256
I have a Spring SAML implementation that's currently integrated with 3 ADFS instances and each Relying Party Trust is set to use SHA-1 instead of SHA-256. Is it a requirement of yours to use SHA-256?
Please notice I haven't modified the samlKeystore.jks
Is your ADFS instance using a self signed certificate? If so, you will need to import the public .cer file into your JKS for SAML to work. I found this video very helpful for learning how to navigate Windows go get and import certificates.
Also, if you're using the JKS that came with the project, you're using a self signed certificate in your SAML implementation. You will need to export the certificate like so:
--export cert for import into adfs
keytool -export -keystore samlKeystore.jks -alias youralias -file youralias.cer
And import it into ADFS.