Hi Guys,
As a SP, I'm trying to integrate SAML with a partner who has IDP setup. We imported below IDP metadata and its x.509 public key into our keystore.
Upon accessing a resource, below authentication request assertion is sent to IDP. I've replaced sensitive tokens with XXXXX
IDP prompts for login and send back below successful assertion to SP.I've replaced sensitive tokens with XXXXX
Problem
HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid
Logging from both opensaml and spring saml
Can anyone please provide some pointers on how to debug this issue? What exactly is missing in above flow?
Thanks in advance!
As a SP, I'm trying to integrate SAML with a partner who has IDP setup. We imported below IDP metadata and its x.509 public key into our keystore.
Code:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="XXXX">
<md:IDPSSODescriptor WantAuthnRequestsSigned="0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>XXXX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX" index="0" isDefault="1"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="XXXX"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="XXXX"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX"/>
<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="XXXX"/>
<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="XXXX"/>
<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="XXXX"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="XXXX"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX"/>
</md:IDPSSODescriptor>
<md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>XXXX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXXX"/>
</md:AttributeAuthorityDescriptor>
</md:EntityDescriptor>Code:
<saml2p:AuthnRequest AssertionConsumerServiceURL="XXXXX"
Destination="XXXXX"
ForceAuthn="false"
ID="a2g0c8dfedgde265408jh9204657aei"
IsPassive="false"
IssueInstant="2013-08-31T08:51:32.098Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">XXXXX</saml2:Issuer>
<saml2p:Scoping ProxyCount="2" />
</saml2p:AuthnRequest>Code:
<samlp:Response ID="_10346b23-8a4e-403a-8876-7f3df1dda226"
Version="2.0"
IssueInstant="2013-08-31T08:52:06Z"
Destination="XXXXX"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">XXXXX</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_10346b23-8a4e-403a-8876-7f3df1dda226">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>XXXXX</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XXXXX</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>XXXXX</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
ID="_ceb08452-bc35-4383-853d-4c7e936f44fa"
IssueInstant="2013-08-31T08:52:06Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml:Issuer>XXXXX</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">XXXXX</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2013-08-31T10:52:06Z"
Recipient="XXXXX"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-08-31T08:51:06Z"
NotOnOrAfter="2013-08-31T10:52:06Z"
>
<saml:AudienceRestriction>
<saml:Audience/>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-08-31T08:52:06Z"
SessionIndex="Ac5234d15"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid
Logging from both opensaml and spring saml
Code:
2013-08-30 13:25:30,286 [http-apr-XXXX-exec-98] DEBUG o.o.w.m.decoder.BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
2013-08-30 13:25:30,295 [http-apr-XXXX-exec-98] DEBUG o.o.w.m.decoder.BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
2013-08-30 13:25:30,295 [http-apr-XXXX-exec-98] DEBUG o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
2013-08-30 13:25:30,296 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2013-08-30 13:25:30,297 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2013-08-30 13:25:30,308 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.k.BasicProviderKeyInfoCredentialResolver - Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2013-08-30 13:25:30,308 [http-apr-XXXX-exec-98] DEBUG o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
2013-08-30 13:25:30,312 [http-apr-XXXX-exec-98] DEBUG o.s.s.saml.SAMLProcessingFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalidThanks in advance!