问题
I have looked at many questions including https://stackoverflow.com/a/25384924/1317559. I have the IdP metadata and certificate, but can't seem to get Spring so see it.
- Added the certificate to the keystore: keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file certificate.crt
- In the metadata there are multiple certificates (2 different ones) and a SignatureValue.
- I tried to add the signature value with the same keytool command, but it is not a certificate.
- I tried to add the 2 certificates found in the metadata also.
I enabled debugging log and this is what I get:
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Supplied trusted names are null or empty, skipping name evaluation
- Attempting PKIX path validation on untrusted credential: [subjectName='O=novell,OU=accessManager,CN=test-signing']
- PKIX path construction failed for untrusted credential: [subjectName='O=novell,OU=accessManager,CN=test-signing']: unable to find valid certification path to requested target
- Signature trust could not be established via PKIX validation of signing credential
- Failed to establish trust of KeyInfo-derived credential
- Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
- PKIX validation of signature failed, unable to resolve valid and trusted signing key
- Signature trust establishment failed for metadata entry http://idp.ppd.com/nidp/saml2/metadata
- Error filtering metadata from http://idp.ppd.com/nidp/saml2/metadata org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:312)
回答1:
The Spring SAML manual describes metadata trust verification in chapter 7.2.4. One option is to disable the trust check, or manually remove the signature XML from metadata. Just like you found out, the certificate to import to samlKeystore.jks is the one used to produce the metadata signature, not the signing/encryption certificates for specific SP or IDP entities.
回答2:
Also worth noting: Don't change the signed file - happened to me when I reformatted the ADFS generated one-liner. Obviously changes the file's signature.
回答3:
This problem was fixed. There were many problems in fact. I am using the Spring SAML sample application:
- Need to add the public certificate (the first one after the signature, in the idp metadata) to the samlKeystore.jks under Other sources, security.
- The password is nalle123 .
- Don't put anything in the securityContext.xml file.
来源:https://stackoverflow.com/questions/28190923/spring-security-saml-idp-metadata-certificate-and-signature