“HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid” with Salesforce as IdP for implementating SSO
I\'ve implemented SSO using Spring SAML and everything is working fine. It worked with the following IDP\'s till now: 1) idp.ssocircle.com 2) openidp.feide.no
Now I\
-
Your IDP is using a different key for digital signatures than it defines in metadata.
You should inspect the SAML message you received and look for element X509Certificate inside element Signature. Extract the content of the certificate into a separate file, e.g. sales-force-sign.cer
You then need to import the certificate into your samlKeystore.jks, you can find details on how to do it in chapter 4.5 (Key management) of the Spring SAML manual. Make sure to note the alias you import the key with.
As last step you need to tell Spring SAML to use the newly imported key for signature verifications for your IDP, for that you should update your securityContext.xml and update your ExtendedMetadta for your IDP with property signingKey and value of the alias you used earlier to import the key. It will look similar to:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> <constructor-arg> <value type="java.io.File">classpath:salesforce_metadata.xml</value> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> <property name="signingKey" value="sf-proxy"/> </bean> </constructor-arg> </bean>Again you can find details on all of this in the manual.
Alternatively you can simply add the key you extracted from the message into your IDP metadata. Just manualy update the XML file and add another KeyDescriptor with use="signing". It might be faster to do.
讨论(0)
加载中...
- 热议问题