Getting back at trying to hook an external IDP (keycloak) to DDF. Currently have 2.10.3 deployed. DDf is getting hung up when validating the AuthN response pushing out an exception like this:
2017-08-03 15:39:40,418 | INFO | tp1754960400-621 | IdpHandler | .client.AssertionConsumerService 307 | 427 - security-idp-client -.saml2.core.impl.IssuerImpl@2ea22ad3
ddf.security.samlp.ValidationException: Invalid or untrusted signature.
at org.codice.ddf.security.idp.client.AuthnResponseValidator.validate(AuthnResponseValidator.java:67)[427:security-idp-client:2.10.3]
at org.codice.ddf.security.idp.client.AssertionConsumerService.validateResponse(AssertionConsumerService.java:305)[427:security-idp-client:2.10.3]
at org.codice.ddf.security.idp.client.AssertionConsumerService.processSamlResponse(AssertionConsumerService.java:249)[427:security-idp-client:2.10.
at org.codice.ddf.security.idp.client.AssertionConsumerService.processSamlResponse(AssertionConsumerService.java:299)[427:security-idp-client:2.10.
at org.codice.ddf.security.idp.client.AssertionConsumerService.postSamlResponse(AssertionConsumerService.java:128)[427:security-idp-client:2.10.3]
I added some further debugging statements to SimpleSign to try to tease out a bit more information about why it thinks the signature is invalid/untrusted. This is the causing exception:
2017-08-03 15:39:40,414 | WARN | tp1754960400-621 | SimpleSign | ddf.security.samlp.SimpleSign 294 | 209 - security-core-api - 2
org.apache.wss4j.common.ext.WSSecurityException: No message with ID "certpath" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"
at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:836)[133:org.apache.wss4j.wss4j-ws-security-common:2.1.7]
at org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:108)
at org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)
at ddf.security.samlp.SimpleSign.validateSignature(SimpleSign.java:292)[209:security-core-api:2.10.3]
at org.codice.ddf.security.idp.client.AuthnResponseValidator.validate(AuthnResponseValidator.java:63)[427:security-idp-client:2.10.3]
at org.codice.ddf.security.idp.client.AssertionConsumerService.validateResponse(AssertionConsumerService.java:305)[427:security-idp-client:2.10.3]
at org.codice.ddf.security.idp.client.AssertionConsumerService.processSamlResponse(AssertionConsumerService.java:249)[427:security-idp-client:2.10.
at org.codice.ddf.security.idp.client.AssertionConsumerService.processSamlResponse(AssertionConsumerService.java:299)[427:security-idp-client:2.10.
at org.codice.ddf.security.idp.client.AssertionConsumerService.postSamlResponse(AssertionConsumerService.java:128)[427:security-idp-client:2.10.3]
Any thoughts on where I should be looking?
Thanks in advance.