Spring SAML – Failed to establish trust of KeyInfo-derived credential

Home / spring / Spring SAML – Failed to establish trust of KeyInfo-derived credential

Question:
On my web application have implemented SAML delegate authentication on a CAS 5.1 server. Everything is working until the web app receivers the SAML Assertion: then, I get the error reported in subject, followed by Authentication Failure.

This is an extract of my log:17:11:15,466 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] (default task-15) Signature validation using candidate credential was successful
17:11:15,466 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] (default task-15) Successfully verified signature using KeyInfo-derived credential
17:11:15,466 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] (default task-15) Attempting to establish trust of KeyInfo-derived credential
17:11:15,468 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] (default task-15) Failed to establish trust of KeyInfo-derived credential
17:11:15,469 DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] (default task-15) Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
17:11:15,469 DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] (default task-15) Attempting to verify signature using trusted credentials
17:11:15,469 DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] (default task-15) Failed to verify signature using either KeyInfo-derived or directly trusted credentials
17:11:15,469 DEBUG [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule] (default task-15) Validation of protocol message signature failed for context issuer ‘development:cas:idp’, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
17:11:15,469 DEBUG [org.springframework.security.saml.SAMLProcessingFilter] (default task-15) Incoming SAML message is invalid: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

Step-by-step analysis shows that the ExplicitKeySignatureTrustEngine tries to find credentials with Criteria involving the EntityID, protocol and usage SIGNING. The metadata configured with my web app seems to meet those criteria, but the Trusted Credential collection is always empty.

The certificate used in signing was loaded in my web app’s keystore and is the same in the CAS server, my web app and respective metadata.

Can someone explain what am I doing wrong and how to fix it? Thanks in advance.


Answer:

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *