Picketlink(IDP) + SimpleSaml(SP)
643 views
Skip to first unread message
Alessandro Marinho
Jul 14, 2015, 3:44:54 PM7/14/15
to simple...@googlegroups.com
Hello Guys,
I'm trying to establish a communication with Picketlink(IDP JAVA) and SimpleSaml(PHP SP).
So, i got the demo on the site (default-sp) . And did that:
Copy IDP Metadata on saml20-idp-remote.php:
$metadata['http://localhost:8080/idp2/'] = array (
'entityid' => 'http://localhost:8080/idp2/',
'description' =>
array (
'en' => 'JBoss',
),
'OrganizationName' =>
array (
'en' => 'JBoss',
),
'name' =>
array (
'en' => 'JBoss by Red Hat',
),
'OrganizationDisplayName' =>
array (
'en' => 'JBoss by Red Hat',
),
'url' =>
array (
'en' => 'http://www.jboss.org',
),
'OrganizationURL' =>
array (
'en' => 'http://www.jboss.org',
),
'contacts' =>
array (
0 =>
array (
'contactType' => 'technical',
'givenName' => 'The',
'surName' => 'Admin',
'emailAddress' =>
array (
0 => 'test',
),
),
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:mace:shibboleth:1.0:profiles:AuthnRequest',
'Location' => 'http://localhost:8080/idp2/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://localhost:8080/idp2/',
),
2 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://localhost:8080/idp2/',
),
),
'SingleLogoutService' =>
array (
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI',
),
1 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI',
),
2 =>
array (
'encryption' => true,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI',
),
),
);
-----------------_
Configure SP with authsources.php:
'default-sp' => array(
'saml:SP',
/*The same content of the x509 on saml20-idp-remote.php */
'certificate' => 'servercert.crt',
'entityID' => null,
'idp' =>'http://localhost:8080/idp2/',
'discoURL' => null,
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
------------
My IDP Configuration :
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true" >
<Trust>
<Domains>service.example.com,10.12.109.122,localhost,jboss.com,jboss.org,amazonaws.com</Domains>
</Trust>
<KeyProvider
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
<!-- <Auth Key="KeyStorePass" Value="store123" /> -->
<Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" />
<!-- <Auth Key="SigningKeyPass" Value="test123" /> -->
<Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" />
<Auth Key="SigningKeyAlias" Value="servercert" />
<Auth Key="salt" Value="18273645" />
<Auth Key="iterationCount" Value="11" />
<ValidatingAlias Key="localhost" Value="servercert" />
<ValidatingAlias Key="127.0.0.1" Value="servercert" />
<ValidatingAlias Key="sp" Value="servercert" />
</KeyProvider>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler">
<Option Key="SIGN_METHOD" Value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>
</PicketLink>
--------------_
Sending SAML 2 AuthnRequest to 'http://localhost:8080/idp2/'
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5bbdf16e1028b9a4cc3690a9c10d8f33821c4290f1" Version="2.0" IssueInstant="2015-07-14T19:26:27Z" Destination="http://localhost:8080/idp2/" AssertionConsumerServiceURL="http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>http://localhost/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
</samlp:AuthnRequest>
Received message:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_b74cc56c-5819-4545-bb72-86d0f7af7ce9" IssueInstant="2015-07-14T19:26:31.000Z" Version="2.0">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
</samlp:Status>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#ID_b74cc56c-5819-4545-bb72-86d0f7af7ce9">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>T3egtFVz7kh6qTSag/6DCMW2k9g=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>UCmprFTbzTmd64kmWx6uenT3+1bN4HhQ9THeZzf3gPMRjLoQT7TIO4DMawXDVCMl6bspf2zhMBXcWUpqbV+5kp3QB2xIiPihAV2yNa45AnFpGLCxKLhHHzGdKnOfMHPdsiodjx1XvJ2BOBmcyd1RgTaN131zqw0pBWJbm5uoCtY=</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>7KiaO7wWGffrZcXyLcY3syZ7TWVE5wBzU08/DvglTvvSQeotmJDKBTea8N8Kf8SKqdBANH8dnYT0wRXkedAQ+97YwwWKiwTz+EHYvfwBWQaV3BBu2kLVe9w+hykXPmEEIQzXXbfoBt9xi5pworDsjJJROifK5+eUtjIK2jkGzKM=</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
</samlp:Response>
---
ERROR:
16:26:30,995 ERROR [org.picketlink.common] (http-localhost/127.0.0.1:8080-2) Error validating signature:: java.lang.RuntimeException: PL00092: Null Value:Cannot find Signature element
at org.picketlink.common.DefaultPicketLinkLogger.nullValueError(DefaultPicketLinkLogger.java:205)
at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:498) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:309) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:120) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:91) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:52) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:857) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java:427) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:374) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
One thing really STRANGE.. If i take off :
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> , then, i can log in .
What am i doing wrong?
I'm trying to establish a communication with Picketlink(IDP JAVA) and SimpleSaml(PHP SP).
So, i got the demo on the site (default-sp) . And did that:
Copy IDP Metadata on saml20-idp-remote.php:
$metadata['http://localhost:8080/idp2/'] = array (
'entityid' => 'http://localhost:8080/idp2/',
'description' =>
array (
'en' => 'JBoss',
),
'OrganizationName' =>
array (
'en' => 'JBoss',
),
'name' =>
array (
'en' => 'JBoss by Red Hat',
),
'OrganizationDisplayName' =>
array (
'en' => 'JBoss by Red Hat',
),
'url' =>
array (
'en' => 'http://www.jboss.org',
),
'OrganizationURL' =>
array (
'en' => 'http://www.jboss.org',
),
'contacts' =>
array (
0 =>
array (
'contactType' => 'technical',
'givenName' => 'The',
'surName' => 'Admin',
'emailAddress' =>
array (
0 => 'test',
),
),
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:mace:shibboleth:1.0:profiles:AuthnRequest',
'Location' => 'http://localhost:8080/idp2/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://localhost:8080/idp2/',
),
2 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://localhost:8080/idp2/',
),
),
'SingleLogoutService' =>
array (
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI',
),
1 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI',
),
2 =>
array (
'encryption' => true,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI',
),
),
);
-----------------_
Configure SP with authsources.php:
'default-sp' => array(
'saml:SP',
/*The same content of the x509 on saml20-idp-remote.php */
'certificate' => 'servercert.crt',
'entityID' => null,
'idp' =>'http://localhost:8080/idp2/',
'discoURL' => null,
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
------------
My IDP Configuration :
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true" >
<Trust>
<Domains>service.example.com,10.12.109.122,localhost,jboss.com,jboss.org,amazonaws.com</Domains>
</Trust>
<KeyProvider
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
<!-- <Auth Key="KeyStorePass" Value="store123" /> -->
<Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" />
<!-- <Auth Key="SigningKeyPass" Value="test123" /> -->
<Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" />
<Auth Key="SigningKeyAlias" Value="servercert" />
<Auth Key="salt" Value="18273645" />
<Auth Key="iterationCount" Value="11" />
<ValidatingAlias Key="localhost" Value="servercert" />
<ValidatingAlias Key="127.0.0.1" Value="servercert" />
<ValidatingAlias Key="sp" Value="servercert" />
</KeyProvider>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler">
<Option Key="SIGN_METHOD" Value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>
</PicketLink>
--------------_
Sending SAML 2 AuthnRequest to 'http://localhost:8080/idp2/'
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5bbdf16e1028b9a4cc3690a9c10d8f33821c4290f1" Version="2.0" IssueInstant="2015-07-14T19:26:27Z" Destination="http://localhost:8080/idp2/" AssertionConsumerServiceURL="http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>http://localhost/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
</samlp:AuthnRequest>
Received message:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_b74cc56c-5819-4545-bb72-86d0f7af7ce9" IssueInstant="2015-07-14T19:26:31.000Z" Version="2.0">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
</samlp:Status>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#ID_b74cc56c-5819-4545-bb72-86d0f7af7ce9">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>T3egtFVz7kh6qTSag/6DCMW2k9g=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>UCmprFTbzTmd64kmWx6uenT3+1bN4HhQ9THeZzf3gPMRjLoQT7TIO4DMawXDVCMl6bspf2zhMBXcWUpqbV+5kp3QB2xIiPihAV2yNa45AnFpGLCxKLhHHzGdKnOfMHPdsiodjx1XvJ2BOBmcyd1RgTaN131zqw0pBWJbm5uoCtY=</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>7KiaO7wWGffrZcXyLcY3syZ7TWVE5wBzU08/DvglTvvSQeotmJDKBTea8N8Kf8SKqdBANH8dnYT0wRXkedAQ+97YwwWKiwTz+EHYvfwBWQaV3BBu2kLVe9w+hykXPmEEIQzXXbfoBt9xi5pworDsjJJROifK5+eUtjIK2jkGzKM=</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
</samlp:Response>
---
ERROR:
16:26:30,995 ERROR [org.picketlink.common] (http-localhost/127.0.0.1:8080-2) Error validating signature:: java.lang.RuntimeException: PL00092: Null Value:Cannot find Signature element
at org.picketlink.common.DefaultPicketLinkLogger.nullValueError(DefaultPicketLinkLogger.java:205)
at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:498) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:309) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:120) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:91) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:52) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:857) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java:427) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:374) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
One thing really STRANGE.. If i take off :
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> , then, i can log in .
What am i doing wrong?
Jaime Perez Crespo
Jul 15, 2015, 2:38:15 AM7/15/15
to simple...@googlegroups.com
Hi Alessandro,
It looks like your IdP is expecting the authentication request to be signed. So either you configure the IdP not to do so if that’s not important for you, or configure SimpleSAMLphp to sign authentication requests sent to this IdP (at least), and configure the IdP with the certificate used in your SP. You have information on how to do that in the documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
It looks like your IdP is expecting the authentication request to be signed. So either you configure the IdP not to do so if that’s not important for you, or configure SimpleSAMLphp to sign authentication requests sent to this IdP (at least), and configure the IdP with the certificate used in your SP. You have information on how to do that in the documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Alessandro Marinho
Jul 15, 2015, 7:19:26 AM7/15/15
to simple...@googlegroups.com
Hello Jaime, it works!
I just put the "sign.authrequest" on IDP.
Thank you !
I just put the "sign.authrequest" on IDP.
Thank you !
Reply all
Reply to author
Forward
0 new messages