Signature validation works for SSO, but fails for SLO
Justin Edelson
justin at justinedelson.com
Tue May 27 14:15:30 EDT 2014
Hi,
I'm trying to add SLO support to an existing SP library and running
into what seems like a strange issue. I can't tell if this is a
problem with my Shibboleth configuration, the SP library, or both.
In the metadata XML for my SP, I have a KeyInfo element containing my
SP's public certificate. See
https://gist.github.com/justinedelson/38d98ff75d55cfb7d69d
This works for AuthnRequests like
https://gist.github.com/justinedelson/698266372f5617aee3bd - I can see
from the logs that Shibboleth is validating the signature:
10:59:14.024 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:54] - Attempting to
validate signature using key from supplied credential
10:59:14.024 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:90] - Creating
XMLSignature object
10:59:14.025 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:64] - Validating
signature with signature algorithm URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
10:59:14.025 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:65] - Validation
credential key algorithm 'RSA', key instance class
'sun.security.rsa.RSAPublicKeyImpl'
10:59:14.047 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:70] - Signature
validated with key from supplied credential
However, for LogoutRequest messages like
https://gist.github.com/justinedelson/4c0d7e13857e0f654e82,the
signature validation fails:
11:01:55.520 - DEBUG
[org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:107]
- Attempting to verify signature using trusted credentials
11:01:55.520 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:54] - Attempting to
validate signature using key from supplied credential
11:01:55.520 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:90] - Creating
XMLSignature object
11:01:55.520 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:64] - Validating
signature with signature algorithm URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
11:01:55.521 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:65] - Validation
credential key algorithm 'RSA', key instance class
'sun.security.rsa.RSAPublicKeyImpl'
11:01:55.524 - DEBUG
[org.opensaml.xml.signature.SignatureValidator:77] - Signature did not
validate against the credential's key
11:01:55.531 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:144] -
Signature validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Signature did not
validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)
~[xmltooling-1.4.0.jar:na]
at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142)
~[xmltooling-1.4.0.jar:na]
at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:110)
[xmltooling-1.4.0.jar:na]
at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
[xmltooling-1.4.0.jar:na]
at org.opensaml.xml.signature.impl.ChainingSignatureTrustEngine.validate(ChainingSignatureTrustEngine.java:68)
[xmltooling-1.4.0.jar:na]
at org.opensaml.xml.signature.impl.ChainingSignatureTrustEngine.validate(ChainingSignatureTrustEngine.java:37)
[xmltooling-1.4.0.jar:na]
at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:104)
[openws-1.5.0.jar:na]
at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:91)
[openws-1.5.0.jar:na]
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:128)
[opensaml-2.6.0.jar:na]
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
[opensaml-2.6.0.jar:na]
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
[openws-1.5.0.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
[openws-1.5.0.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
[openws-1.5.0.jar:na]
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
[opensaml-2.6.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler.decodeRequest(SLOProfileHandler.java:515)
[shibboleth-identityprovider-2.4.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler.processLogoutRequest(SLOProfileHandler.java:240)
[shibboleth-identityprovider-2.4.0.jar:na]
Is there some fundamental difference I'm missing in how the signature
validation gets done for SSO vs. SLO requests? Any suggestions on how
I can troubleshoot this further?
Thanks,
Justin
More information about the users
mailing list