You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Beat Fuellemann (Jira)" <ji...@apache.org> on 2023/06/19 11:01:00 UTC

[jira] [Comment Edited] (NIFI-11694) SAML logout signature verification failed

    [ https://issues.apache.org/jira/browse/NIFI-11694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17734122#comment-17734122 ] 

Beat Fuellemann edited comment on NIFI-11694 at 6/19/23 11:00 AM:
------------------------------------------------------------------

Thanks David for the fast response. I will clarify that with our Identity Provider. So I will close that case.


was (Author: JIRAUSER299087):
Thanks David for the fast response. I will clarify that with our Identity Provider.

> SAML logout signature verification failed
> -----------------------------------------
>
>                 Key: NIFI-11694
>                 URL: https://issues.apache.org/jira/browse/NIFI-11694
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.21.0
>            Reporter: Beat Fuellemann
>            Assignee: David Handermann
>            Priority: Major
>
> We activated SAML Authentication with the following configuration:
> {code:java}
> nifi.security.user.saml.request.signing.enabled=false
> nifi.security.user.saml.want.assertions.signed=true
> nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
> nifi.security.user.saml.authentication.expiration=1 hours
> nifi.security.user.saml.single.logout.enabled=true
> nifi.security.user.saml.http.client.truststore.strategy=JDK
> nifi.security.user.saml.http.client.connect.timeout=30 secs
> nifi.security.user.saml.http.client.read.timeout=30 secs{code}
> Login works fine.
> But during logout, it looks that NIFI signs the request, even if we "request.signing.enabled=false". This causes the logout fail on the IdP.
> it gives us the following error:
> {code:java}
> 2023-06-15 06:38:35,629 INFO [NiFi Web Server-78] org.apache.nifi.web.api.AccessResource Logout Request [7b8370e8-752f-484e-8caa-5a8ce3f29caf] Identity [TXXXXX] started
> 2023-06-15 06:38:35,673 DEBUG [NiFi Web Server-78] o.o.xmlsec.algorithm.AlgorithmRegistry Runtime support eval for algorithm URI 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': supported
> 2023-06-15 06:38:35,674 DEBUG [NiFi Web Server-78] o.o.xmlsec.algorithm.AlgorithmRegistry Runtime support eval for algorithm URI 'http://www.w3.org/2001/04/xmlenc#sha256': supported
> 2023-06-15 06:38:35,676 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver Resolved SignatureSigningParameters:
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signing credential with key algorithm: RSA
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signature KeyInfoGenerator: present
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Reference digest method algorithm URI: http://www.w3.org/2001/04/xmlenc#sha256
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Reference canonicalization algorithm URI: null
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Canonicalization algorithm URI: http://www.w3.org/2001/10/xml-exc-c14n#
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      HMAC output length: null
> 2023-06-15 06:38:35,678 DEBUG [NiFi Web Server-78] o.opensaml.security.crypto.SigningUtil Computing signature over input using private key of type RSA and JCA algorithm ID SHA256withRSA
> 2023-06-15 06:38:35,691 DEBUG [NiFi Web Server-78] o.opensaml.security.crypto.SigningUtil Computed signature: [3, e, 2, 0, d, 4, 0, 7, d, 8, 2, 6, 9, 7, a, f, c, 1, 0, 8, b, 9, 5, f, d, 0, a, 3, 2, 9, b, 9, 3, d, b, 5, 2, 4, 2, f, a, 9, 7, 1, 2, 3, d, 3, c, d, 9, 8, 1, 0, a, 5, 1, 8, 8, 6, 3, 3, 8, a, a, 7, f, 1, 8, 9, c, a, 3, 5, 7, b, 2, e, c, 2, 5, 3, 7, 1, 2, b, 2, 1, 4, 3, e, 6, f, 4, 8, 5, e, 1, d, 3, e, 1, a, 5, 1, a, f, 8, 2, f, a, 3, 8, a, 3, 2, f, 0, 6, d, e, 8, 7, b, 9, f, d, 2, 8, b, d, f, 8, 2, 7, 9, 3, 5, 1, d, c, 1, 2, e, 3, 4, 8, f, 3, 7, e, 6, 5, c, e, 3, 8, 3, 1, 2, a, 6, 5, 6, 1, 2, 8, c, 8, 3, 8, 3, a, a, 9, 6, 2, a, 8, 3, 2, 9, 2, 5, 9, 2, b, e, 6, d, 0, 0, e, 1, 8, 9, 2, 4, 0, 2, a, 5, c, b, 3, 1, b, 1, b, b, a, e, 0, f, 6, e, 8, 0, b, c, 9, 0, 0, f, c, 1, 7, 5, c, 4, d, b, 5, c, 1, 0, f, b, 3, d, 4, c, e, 5, 7, 4, 3, 8, f, b, 1, f, 1, d, a, a, 0, c, 8, e, d, b, 5, 0, 5, 9, 7, a, c, 8, 7, 9, 4, 4, d, f, 1, 3, 2, 9, 6, 6, 2, 4, 1, e, c, 8, 3, 7, 3, 2, 4, 9, a, 9, 4, 0, 3, c, 4, b, 2, f, 1, b, 9, b, 4, 3, 1, f, 6, d, 3, d, 4, 5, 0, f, 7, 8, d, 1, c, 1, 8, f, 2, 4, 8, 3, 3, 9, e, 3, 4, b, 5, 0, 9, 9, 1, 0, c, b, e, 3, 7, 9, 4, 4, d, 7, a, a, 4, 6, 6, 0, 1, b, c, 8, b, 4, c, 9, c, a, b, 2, b, e, d, 4, 4, 4, 0, a, b, 9, 4, 4, 4, 4, 9, e, a, b, 4, b, 0, 1, 4, 0, b, 7, 2, f, d, b, 8, a, a, 8, f, 8, e, 3, 8, 9, 0, c, 8, f, 3, 0, 6, 0, 9, 3, d, 5, c, 3, 5, 6, a, 6, e, 1, d, 5, c, 5, a, 4, 9, 2, 3, c, d, 5, 6, 8, f, 1, 3, f, c, 4, 5, 4, 4, 9, 5, 4, 1, 4, 7, f, d, 6, 1, d, 0, 6, 5, d, b, 5, 1, f, 5, 2, 8, 2, 6, f, 2, 6, a, c, b, e, 1, 5, 6, 2, 8, 8, 5, 9, f, 6, b, d, c, 1, 9, 8, f, 3, 6, 1, e, 0, 7, 6, b, f, 4, 4, 1, 9, c, a, 4, 9, 7, 7, 8, e, 2, 7, 5, 4, 4, e, f, 4, 6, 7, 7, 6, 4, 7, b, b, f, 4, a, 8, c, d, 1, d, f, 1, 0, c, a, 6, 8, 9, d, f, a, 9, 1, c, 9, c, 8, 9, 3, 0, a, a, 1, 3, 1, f, 9, 3, 9, 3, 8, 8, b, 0, 0, 6, e, d, 1, 1, 5, c, 4, 8, 5, 7, d, 7, 1, 2, 1, 1, 3, 9, 5, d, 9, 3, 2, d, 1, e, 4, 1, 1, 7, 3, 2, 1, d, f, 3, 7, 7, 8, 0, d, 7, a, 5, b, c, c, 5, 7, d, 4, 1, f, c, 7, 6, 5, e, 2, f, c, 7, 0, c, 5, 6, c, d, 5, 3, b, d, c, 0, e, 8, 4, 5, 5, a, 1, 1, 0, b, 9, c, f, a, 9, 3, f, f, 5, 8, 5, f, d, e, 3, 7, 1, 4, d, a, 0, 9, b, 8, f, 9, 3, 7, 3, 7, f, 3, 5, 9, c, f, 8, c, 6, 0, d, c, c, b, 8, 7, 7, a, e, e, 9, a, a, 7, 9, d, d, 9, b, 6, 6, f, e, 7, 3, e, 8, b, 2, 0, 8, e, e, 3, d, 9, f, 8, 3, d, 5, 8, 5, 0, 9, 4, c, c, f, e, 0, f, 8, b, 8, 0, 1, 5, 8, 9, 4, 6, 0, a, 1, a, 1, 0, 7, 4, 9, 0, b, e, 8, d, 4, f, c, 4, f, 2, c, 4, b, c, 7, 9, 7, 2, 9, 3, 0, f, 3, 0, 8, 6, a, 3, 0, 4, 8, c, 0, e, d, 9, 4, 5, 3, d, 4, b, a, 8, e, 8, f, 9, c, e, 5, 0, 7, 3, b, b, 6, 3, f, 0, 2, 3, 5, 1, 3, 0, 3, d, 6, b, d, 4, d, c, d, d, c, 0, a, f, 0, 8, 8, e, 0, 7, 7, f, 4, 3, 9, 8, c, 5, f, 9, a, d, 0, 9, 5, a, a, 9, 8, c, d, 9, a, a, 2, 1, f, 9, 9, 1, 5, 4, c, 5, 6, 8, a, a, 2, 6, 1, 2, e, 6, 7, 3, d, e, 4, 5, b, 2, 2, b, 5, f, f, f, 3, 2, 5, 7, 5, 0, f, 2, 9, 9, 7, a, 0, a, 7, e, c, b, 7, 5, 7, 1, 0, 6, f, 6, 0, e, 5, 7, b, 1, 1, d, 9, 8, 8, 5, 7, b, 2, d, 7, c, e, c, 2, 8, c, 0, 2, a, f, 0, a, a, 2, b, 4, d, 0, 1, e, 0, 3, 7, e, 7, 2, 8, 3, 7, 4, 1, 7, 3, e, 2, 8, 6, d, d, 7, 0, 8, 9, 2, 9, 6, f, d, 6, f, 2, f, 4, d, d, 6, f]{code}
>  
> Is there another switch to disable logout request singning ?
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)