hI..
Currently, I am integrating Company IDP with Jenkins.
in Saml Plugin,
"signature is not trusted"
Can you help me solve the Error?
[System Log]
org.pac4j.saml.exceptions.SAMLSignatureValidationException: Signature is not trusted
at org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator.validateSignature(AbstractSAML2ResponseValidator.java:147)
at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateAssertionSignature(SAML2AuthnResponseValidator.java:669)
at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateAssertion(SAML2AuthnResponseValidator.java:392)
at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateSamlSSOResponse(SAML2AuthnResponseValidator.java:303)
at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validate(SAML2AuthnResponseValidator.java:97)
[package Log]
1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine validateSuccessfully verified signature using KeyInfo-derived credential
1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine validateAttempting to establish trust of KeyInfo-derived credential
1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine validateFailed to establish trust of KeyInfo-derived credential
1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine validateFailed to verify signature and/or establish trust using any KeyInfo-derived credentials
1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine doValidateAttempting to verify signature using trusted credentials
1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine doValidateFailed to verify signature using either KeyInfo-derived or directly trusted credentials
[IDP_metadata.xml]
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="
dev.idp.com">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" validUntil="2022-12-29T05:08:17.196Z">
<KeyDescriptor use="signing">
<X509Data>
<X509Certificate> Security </X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
</EntityDescriptor>
[SP_metadata.xml]
[IDP→SP Response]
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="
http://sp/securityRealm/finishLogin"
ID="_35252c6bbb5c64698a8fe152098273bd"
InResponseTo="_b0ed88b36ddc44c5a4b9f9ddd08289dfd058745"
IssueInstant="2023-01-05T07:24:23.120Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
dev.idp.com</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
<saml2:Assertion ID="_4b558ed15d6584def6dadc8fb7c8be8c"
IssueInstant="2023-01-05T07:24:23.120Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="
http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
dev.idp.com</saml2:Issuer>
<Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_4b558ed15d6584def6dadc8fb7c8be8c">
<Transforms>
<Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>gQ+c3WIINjjN9EnuVsQoBSfAK+o=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
~~~Security~~~
</SignatureValue>
<ds:KeyInfo xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
~~~Security~~~
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">MyName</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_b0ed88b36ddc44c5a4b9f9ddd08289dfd058745"
NotOnOrAfter="2023-01-05T07:29:23.120Z"
Recipient="
http://sp/securityRealm/finishLogin" /></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-01-05T07:24:23.120Z"
NotOnOrAfter="2023-01-05T07:29:23.120Z">
<saml2:AudienceRestriction>
<saml2:Audience>
http://sp/securityRealm/finishLogin</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2023-01-05T04:25:58.646Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
~~~~~ Attribute Block~~~~~~~
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>