You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by RobCodes <te...@gmail.com> on 2020/01/27 19:27:41 UTC
Signed SAML Assertion Validation, Consumer/Client side
We are working through consuming an external service whereby we send a
request to our service provider who returns the response complete with SAML
2.0 assertion for use in subsequent calls. The service provider also owns
the IDP so the interaction between the SP and IDP is on their side.
We've overcome setting expected audience restrictions
(http://cxf.547215.n5.nabble.com/Set-expected-audience-for-checkAudienceRestrictions-tp5800748.html),
thanks for the assist. Now we are having challenges validating the signature
for the SAML assertion.
Using WSHandlerConstants to configure the WSS4JOutInterceptors and
WSS4JInInterceptors in addition to putting configurations into the binding
provider request context we are successful in receiving the response but get
the following error when parsing:
javax.xml.ws.soap.SOAPFaultException: The security token could not be
authenticated or authorized
Debugging suggests this is likely an issue with the publickey as the cause
is in the Merlin class which is unable to find a direct trust in neither of
the keystore nor the truststore.
// Search the keystore for the transmitted public key (direct
trust). If not found
// then search the truststore for the transmitted public key (direct
trust)
//
if (!findPublicKeyInKeyStore(publicKey, keystore, false)
&& !findPublicKeyInKeyStore(publicKey, truststore, true)) {
throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
Log:
2020-01-27 13:07:15 - Searching keystore for public key Sun RSA public key,
2048 bits
params: null
modulus: [...]
public exponent: [...]
2020-01-27 13:07:15 - No PublicKey match found in keystore
2020-01-27 13:07:15 - Searching truststore for public key Sun RSA public
key, 2048 bits
params: null
modulus: [...]
public exponent: [...]
2020-01-27 13:07:15 - No PublicKey match found in truststore
We have the self-signed certificate provided to us by the SP in PEM format
and is valid through 2025. We also were able to retrieve the certificate
directly from the server in DER format. Side by side visual inspection using
openssl shows them to be the same (though the DER also shows the certificate
where the PEM does not). We swapped both formats in cacerts and truststore
with the same result. Tomcat is able to access the cacerts as the
certificate in question is printed out in the log along with all the others.
The CXF logs indicate that the keystore and truststore are loading without
issue. Inspecting the stores with keytool indicates all is well also.
At this point we are unable to determine what is causing the validation of
the signature to fail. Is there anything that you see we've missed or
something else that would cause this issue?
-----
Regards,
RobCodes
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Re: Signed SAML Assertion Validation, Consumer/Client side
Posted by RobCodes <te...@gmail.com>.
Thankfully, the issue was not with our code. The service provider provided a
different certificate, made some changes on their side, and, viola, it
works. Of course they did not divulge the changes they made. There went
about a week for nothing but hey, it works!
-----
Regards,
RobCodes
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html