javax.servlet.ServletException: org.pac4j.saml.exceptions.SamlException: Error decoding saml message at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876) at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:197) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
.......
Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138) at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107) at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:50) at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:131) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:82) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)After some googling, I found this website :http://samaratips.blogspot.ca/2016/10/sso-using-saml.htmlwhich said :Add IDP public key for signing messages to java key store. It can be found in incoming saml message from IDP.My questions are :- Is there somebody who have succeed to make jenkins/saml plugin + keycloak work together ?- How can I add the IDP public key to my keystore and how to configure jenkins to decode saml message with the key in the keystore ?Any help/hints will be appriacated.Regards.James
The IdP key should be in the IdP Metadata as described in https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf
If You are generating the IdP metadata in a manual way, you can use this tool https://www.samltool.com/idp_metadata.php
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="http://13.211.108.58/auth/realms/amp"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://13.211.108.58/auth/realms/amp/protocol/saml" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://13.211.108.58/auth/realms/amp/protocol/saml" />
<KeyDescriptor use="signing">
<dsig:KeyInfo>
<dsig:KeyName>-3exGGnBkt9XwDMBUwkkkXg2JYGXg-_YAcr5gwYTSN0</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIIClTCCAX0CBgFhnj1EXDANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANhbXAwHhcNMTgwMjE2MTA0OTMwWhcNMjgwMjE2MTA1MTEwWjAOMQwwCgYDVQQDDANhbXAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXWPRbbOOjiDlBR3retdd1hIrdbPbsQw88AoYj3+4kIJGmAl+g7z/DIEdjTMsn5Jbx6NF2UUS4b2c/rIkCqEMAMz4CKfOFKppbEGTgAJmyAM0uNvo56K01lhsiGVgj9JRqrX5ANoH5PQWkHeF/miyCm1n6EFdyefheNP2lGksofpphrgW9ChTXPHyLhdv1KCJCTI2c7b+HwAhslI0Zw/XT9ZlKQ3/dkc4mYVRsTKjVKPWXSZwvp7eSNDPn1cbEtuUCOikaxcKVKZBghW4ZwspY7DJZIulhnS4rZB8JO2+GWWAJAqIUZffoh99yHANM/wVHwtEdl6Eckw0IiVTW3RSFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHEkunR6dy+/b3cPl+GJNKpmkMbjMjNQ3P/7YMHQYldl6pr0njYGIl7wh6uA5JF176bz5oP+XddNiySue7lPm+AbsEvefOcfpWt0eBAOHWmZrZLWvp5toE7ipNYd+coicRsddDTAm9ZIdP9X2jNDHrouCkfNHgNIIeLYWdlYUb9VvYW0JbdiwqJs5iCLBIo9M3buffltGyI1ghK0S0/xQf6SgxDLLH4kjU0POj3XMMNDGB4YlPcWeA9DzEQzvWI2gK8Ul/MV3TbYdTXxIRJqef3Qv5ZkCKFBMPORdfLKZyOvP7vex3MSZZzfX342ZjZmzvrlQtOekvldP2OupFeLV8M=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
</EntityDescriptor>
org.pac4j.saml.exceptions.SAMLException: Identity provider has no single sign on service available for the selected profileorg.opensaml.saml.saml2.metadata.impl.IDPSSODescriptorImpl@3ce818f6
at org.pac4j.saml.context.SAML2MessageContext.getIDPSingleSignOnService(SAML2MessageContext.java:93)
at org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder.build(SAML2AuthnRequestBuilder.java:70)
at org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder.build(SAML2AuthnRequestBuilder.java:34)
Thanks in advance.
Regards