SAML Assertion generation using openSAML

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML Assertion generation using openSAML

Sarris Overbosch
Hi,

For some test case we are implementing a class which creates a signed SAML Assertion, we use openSAML library to achieve this task. So far everything seams to be well, the assertion is created and signed. But when we send it to OpenAM (which is the SP) then OpenAM complains about an invalid signature. We've also configured a second OpenAM instance to be the IDP and when we do an IDP initiated SSO and catch the resulting SAML Assertion generated by the IDP it looks the same (apart from namespace naming, time stamps and ids) and the flow works fine. Is there someone who has experienced this problem and knows a solution to is as I can't find it?

FMSigProvider.verify: Signature verification failed.

libSAML2:04/23/2014 01:17:56:960 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: SAML2Utils.verifyResponse:Assertion is not signed or signature is not valid.

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter for hostEntity under realm /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaCache.getEntityConfig: cacheKey = /Realm//hostEntity, found = true

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig: values=com.sun.xml.bind.util.ListImpl@1f

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter class

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: spAssertionConsumer.jsp: SSO failed.

com.sun.identity.saml2.common.SAML2Exception: The signature on Assertion is not valid.

        at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:594)


_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: SAML Assertion generation using openSAML

Paul Figura
Hi Sarris,

What is the signing method you are using to sign the assertion? Do the "<SignedInfo>" elements match between the OpenAM IDP and your custom implementation?

Just to be sure, did you try using the same key from both the OpenAM IDP and your custom IDP? Is it possible that you are signing the assertion with a different key than the one which was imported with the Metadata?

Regards,
Paul Figura
Identity & Access Management Architect

Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 4/23/2014 9:28 AM, Sarris Overbosch wrote:
Hi,

For some test case we are implementing a class which creates a signed SAML Assertion, we use openSAML library to achieve this task. So far everything seams to be well, the assertion is created and signed. But when we send it to OpenAM (which is the SP) then OpenAM complains about an invalid signature. We've also configured a second OpenAM instance to be the IDP and when we do an IDP initiated SSO and catch the resulting SAML Assertion generated by the IDP it looks the same (apart from namespace naming, time stamps and ids) and the flow works fine. Is there someone who has experienced this problem and knows a solution to is as I can't find it?

FMSigProvider.verify: Signature verification failed.

libSAML2:04/23/2014 01:17:56:960 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: SAML2Utils.verifyResponse:Assertion is not signed or signature is not valid.

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter for hostEntity under realm /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaCache.getEntityConfig: cacheKey = /Realm//hostEntity, found = true

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig: values=com.sun.xml.bind.util.ListImpl@1f

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter class

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: spAssertionConsumer.jsp: SSO failed.

com.sun.identity.saml2.common.SAML2Exception: The signature on Assertion is not valid.

        at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:594)



_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: SAML Assertion generation using openSAML

Sarris Overbosch
Hi Paul,

Thanks for spending time and trying to help:

This is from the non working SAML assertion:
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#2028b5c0-ea96-430a-9957-5917ae7b1319">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>4zrp0sW0/agvH7ZtmCj0F1eKhus=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
This is from the working SAML assertion:
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#s2f1bcfa3c382896359ab489b3b6146d4f331ba3cd">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>pwLe95HROx190SGqXRm1jvRGGqY=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
Further the certificates are signed using the same keystore as used by the IDP, and comparing the presented certificate in the <ds:keyInfo> of the SAML assertions is positive, they are both the same...

Br,

Sarris


2014-04-23 17:49 GMT+02:00 Paul Figura <[hidden email]>:
Hi Sarris,

What is the signing method you are using to sign the assertion? Do the "<SignedInfo>" elements match between the OpenAM IDP and your custom implementation?

Just to be sure, did you try using the same key from both the OpenAM IDP and your custom IDP? Is it possible that you are signing the assertion with a different key than the one which was imported with the Metadata?

Regards,
Paul Figura
Identity & Access Management Architect

Tel: <a href="tel:514-432-6233" value="+15144326233" target="_blank">514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 4/23/2014 9:28 AM, Sarris Overbosch wrote:
Hi,

For some test case we are implementing a class which creates a signed SAML Assertion, we use openSAML library to achieve this task. So far everything seams to be well, the assertion is created and signed. But when we send it to OpenAM (which is the SP) then OpenAM complains about an invalid signature. We've also configured a second OpenAM instance to be the IDP and when we do an IDP initiated SSO and catch the resulting SAML Assertion generated by the IDP it looks the same (apart from namespace naming, time stamps and ids) and the flow works fine. Is there someone who has experienced this problem and knows a solution to is as I can't find it?

FMSigProvider.verify: Signature verification failed.

libSAML2:04/23/2014 01:17:56:960 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: SAML2Utils.verifyResponse:Assertion is not signed or signature is not valid.

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter for hostEntity under realm /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaCache.getEntityConfig: cacheKey = /Realm//hostEntity, found = true

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig: values=com.sun.xml.bind.util.ListImpl@1f

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter class

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: spAssertionConsumer.jsp: SSO failed.

com.sun.identity.saml2.common.SAML2Exception: The signature on Assertion is not valid.

        at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:594)



_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: SAML Assertion generation using openSAML

Paul Figura
Hi again Sarris,

So that rules out any "easy" fixes :)

Well, next step is that I'd make sure that OpenSAML library is indeed signing the correct portions of your assertion with the correct algorithm (rsa-sha1). Just because it appears correctly in your header, doesn't mean that's what the code is doing!

I'm quite confident that OpenAM will accept a properly formatted signed assertion, as I've used it with multiple vendors with no issues.

I guess another thing you can try is to disable signature verification in OpenAM and see if the assertion gets through, or if it's failing for other reasons! And like I mentioned in my first post (just to be pedantic), if the metadata you imported into openAM is incorrect, it won't validate the signature!

Regards,
Paul Figura
Identity & Access Management Architect

Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 4/23/2014 1:49 PM, Sarris Overbosch wrote:
Hi Paul,

Thanks for spending time and trying to help:

This is from the non working SAML assertion:
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#2028b5c0-ea96-430a-9957-5917ae7b1319">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>4zrp0sW0/agvH7ZtmCj0F1eKhus=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
This is from the working SAML assertion:
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#s2f1bcfa3c382896359ab489b3b6146d4f331ba3cd">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>pwLe95HROx190SGqXRm1jvRGGqY=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
Further the certificates are signed using the same keystore as used by the IDP, and comparing the presented certificate in the <ds:keyInfo> of the SAML assertions is positive, they are both the same...

Br,

Sarris


2014-04-23 17:49 GMT+02:00 Paul Figura <[hidden email]>:
Hi Sarris,

What is the signing method you are using to sign the assertion? Do the "<SignedInfo>" elements match between the OpenAM IDP and your custom implementation?

Just to be sure, did you try using the same key from both the OpenAM IDP and your custom IDP? Is it possible that you are signing the assertion with a different key than the one which was imported with the Metadata?

Regards,
Paul Figura
Identity & Access Management Architect

Tel: <a moz-do-not-send="true" href="tel:514-432-6233" value="+15144326233" target="_blank">514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 4/23/2014 9:28 AM, Sarris Overbosch wrote:
Hi,

For some test case we are implementing a class which creates a signed SAML Assertion, we use openSAML library to achieve this task. So far everything seams to be well, the assertion is created and signed. But when we send it to OpenAM (which is the SP) then OpenAM complains about an invalid signature. We've also configured a second OpenAM instance to be the IDP and when we do an IDP initiated SSO and catch the resulting SAML Assertion generated by the IDP it looks the same (apart from namespace naming, time stamps and ids) and the flow works fine. Is there someone who has experienced this problem and knows a solution to is as I can't find it?

FMSigProvider.verify: Signature verification failed.

libSAML2:04/23/2014 01:17:56:960 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: SAML2Utils.verifyResponse:Assertion is not signed or signature is not valid.

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter for hostEntity under realm /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaCache.getEntityConfig: cacheKey = /Realm//hostEntity, found = true

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig: values=com.sun.xml.bind.util.ListImpl@1f

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter class

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: spAssertionConsumer.jsp: SSO failed.

com.sun.identity.saml2.common.SAML2Exception: The signature on Assertion is not valid.

        at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:594)



_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: SAML Assertion generation using openSAML

Sarris Overbosch
Hi,

I've been checking that and also hardcoded the usage of rsa-sha1 in the code which creates the SAML Assertion. About the metadata imported I think it is correct because an OpenAM instance acting as IDP from which we get a SAML Assertion just works fine. The OpenSAML application is impersonating this IDP (we want to have automatic testing and thus need generated SAML assertions), does the assertion checking need any other information besides the certificates and sign info? (it the referrer header important?)

Stepping through the code using a debugger shows me org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1 is used to sign

Br,

Sarris


2014-04-23 20:35 GMT+02:00 Paul Figura <[hidden email]>:
Hi again Sarris,

So that rules out any "easy" fixes :)

Well, next step is that I'd make sure that OpenSAML library is indeed signing the correct portions of your assertion with the correct algorithm (rsa-sha1). Just because it appears correctly in your header, doesn't mean that's what the code is doing!

I'm quite confident that OpenAM will accept a properly formatted signed assertion, as I've used it with multiple vendors with no issues.

I guess another thing you can try is to disable signature verification in OpenAM and see if the assertion gets through, or if it's failing for other reasons! And like I mentioned in my first post (just to be pedantic), if the metadata you imported into openAM is incorrect, it won't validate the signature!


Regards,
Paul Figura
Identity & Access Management Architect

Tel: <a href="tel:514-432-6233" value="+15144326233" target="_blank">514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 4/23/2014 1:49 PM, Sarris Overbosch wrote:
Hi Paul,

Thanks for spending time and trying to help:

This is from the non working SAML assertion:
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#2028b5c0-ea96-430a-9957-5917ae7b1319">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>4zrp0sW0/agvH7ZtmCj0F1eKhus=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
This is from the working SAML assertion:
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#s2f1bcfa3c382896359ab489b3b6146d4f331ba3cd">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>pwLe95HROx190SGqXRm1jvRGGqY=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
Further the certificates are signed using the same keystore as used by the IDP, and comparing the presented certificate in the <ds:keyInfo> of the SAML assertions is positive, they are both the same...

Br,

Sarris


2014-04-23 17:49 GMT+02:00 Paul Figura <[hidden email]>:
Hi Sarris,

What is the signing method you are using to sign the assertion? Do the "<SignedInfo>" elements match between the OpenAM IDP and your custom implementation?

Just to be sure, did you try using the same key from both the OpenAM IDP and your custom IDP? Is it possible that you are signing the assertion with a different key than the one which was imported with the Metadata?

Regards,
Paul Figura
Identity & Access Management Architect

Tel: <a href="tel:514-432-6233" value="+15144326233" target="_blank">514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 4/23/2014 9:28 AM, Sarris Overbosch wrote:
Hi,

For some test case we are implementing a class which creates a signed SAML Assertion, we use openSAML library to achieve this task. So far everything seams to be well, the assertion is created and signed. But when we send it to OpenAM (which is the SP) then OpenAM complains about an invalid signature. We've also configured a second OpenAM instance to be the IDP and when we do an IDP initiated SSO and catch the resulting SAML Assertion generated by the IDP it looks the same (apart from namespace naming, time stamps and ids) and the flow works fine. Is there someone who has experienced this problem and knows a solution to is as I can't find it?

FMSigProvider.verify: Signature verification failed.

libSAML2:04/23/2014 01:17:56:960 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: SAML2Utils.verifyResponse:Assertion is not signed or signature is not valid.

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter for hostEntity under realm /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : realm - /Realm

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : hostEntityId - hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : entityRole - SPRole

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAllAttributeValueFromSSOConfig : attrName - spAdapter

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaCache.getEntityConfig: cacheKey = /Realm//hostEntity, found = true

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: hostEntity

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

getAttributeValueFromSSOConfig: values=com.sun.xml.bind.util.ListImpl@1f

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

SAML2Utils.getSPAdapterClass: get SPAdapter class

libSAML2:04/23/2014 01:17:56:961 PM UTC: Thread[catalina-exec-34,5,main]

ERROR: spAssertionConsumer.jsp: SSO failed.

com.sun.identity.saml2.common.SAML2Exception: The signature on Assertion is not valid.

        at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:594)



_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam





_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam