Signature trust establishment failed for metadata entry
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Mon Jun 29 06:25:30 UTC 2020
Hello
I cannot load SP metadata for a specific partner , it fails with trust
metadata Failure :
2020-06-28 21:47:00,846 - ERROR
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:420]
- Signature trust establishment failed for metadata entry recruitee
2020-06-28 21:47:00,847 - ERROR
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:355]
- EntityDescriptor 'recruitee' failed signature verification, removing
from metadata provider
Is there something I can workaround on my side or the service provider
mess something in their metadata ?
How can I check that the provided metadata is correct in regard to
signature/certs/trust ?
Thanks
PS: here is the SP metadata that report the Error
<md:EntityDescriptor xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id159317657424081159320976712" entityID="recruitee"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id159317657424081159320976712">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>pd4TVQMyNzW1kXQUj5FpvgAAWEfo3+FrPtPAsLhhZyw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Cu8YFTDn2VXtN4Sx+Tu/LX/KPNggYrbpShEfXptZdCj+h8fuwI95GXTTr3AfjChf1NDi3qfxHRK0nVtxv5KyiBP4PZH22oTPi/zRT60JAt/aPxaXviOxGBQoVIXOGBJkKLkbGQrMNTSyCwJ+YrIBLHCCgoGiAgRsUs0iOQwvVuO5EdHt/xVORy0EVfrIG30mIigB94WIy//OgBBcIamQqOkI1isYzq5QDufhb6il02P9omoY6hrxahy77PKlj0p9zIBqtSlxEAgb1nhrE5TIX5uS9K5YQ9pYunXFxjrHNGioQ02SttX+o0SL2K2XSaPBQUxFRFPN2RT+BxJgCT/oDHBk+WDk/OD1kl7Y0PiRaF99BQfHuz1+DTCOcCHzAgOpUIGlbuRsPaJlrf0Q6tX2q7OzpiORsHTrSysQGV+nUWHc5LQwsYcGv/scVo3jkvD3Xhu2Pt3fyF0zj1ofzxQjuKIJHKAXYiMkp+FAtpewTx7wAcsU8N95F/6PnqL7Czn6PVgOQVoKeEwscBO1cBsVOliUZ7zQZ2jv+sLDk5V9+5ic9rXU5Pss3/Jakf7UixkOrYfhV6Zi5xkStBN/x/z1kkg/JNQLqXEdh5DykkdLxBvlUi3opSdL0p1oEob+Ch3vz7m8Whorayw2gO7leojcLEU+D19T+EfFZa3Uwo+oODA=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFzjCCA7YCCQDxXP/Xc4ZwNzANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vcnRoIEhvbGxhbmQxEjAQBgNVBAcMCUFtc3RlcmRhbTExMC8GA1UECgwoUmVjcnVpdGVlIEIuVi4gKENvbXBhbnkgbnVtYmVyIDYzODgxODI5KTEWMBQGA1UECwwNcmVjcnVpdGVlLmNvbTEiMCAGA1UEAwwZU1NPIHNpZ25hdHVyZSBjZXJ0aWZpY2F0ZTAeFw0xOTAzMDgxNDQ1NDZaFw0yOTAzMDUxNDQ1NDZaMIGoMQswCQYDVQQGEwJOTDEWMBQGA1UECAwNTm9ydGggSG9sbGFuZDESMBAGA1UEBwwJQW1zdGVyZGFtMTEwLwYDVQQKDChSZWNydWl0ZWUgQi5WLiAoQ29tcGFueSBudW1iZXIgNjM4ODE4MjkpMRYwFAYDVQQLDA1yZWNydWl0ZWUuY29tMSIwIAYDVQQDDBlTU08gc2lnbmF0dXJlIGNlcnRpZmljYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpFSMWM3/uTOlJ6ghrLlfx8ng1mZ/3kO0YHr+lyswE47hEhgAaiW42CdaGZUlhzPtMYRtHbZ73bCQRRRmqf2PrsxS79fcHxgyS0fElshClnozXLIelM5m+PIJkXH3wh+7O1iyb1ZVh7pyI4Jq8NurogLXe3Jh8PQC/l8tLfCOjuh8chRGDtn88fwntVSPK4es52JC8C2BY121U8y1eda7vRvf5agso97KhjMGdTQ3W5XNNBQKOjoJPFa+e39OWCER5BgpzDvSJkXtl4lA2CVizzjCGldaMAB2m9nWKNGCspWFUNWvd2ozPO2iUUiBfMoPBXzfYoDUoonqznGN7nyY0bGjXJydmi3w5srApET5uvW0q4ygBuzUhfDX3M4hmPxiKdMFeyF7W+DiTKg6NGXByrdUTs9djd0dNuMFZXtM96V9KnH0E+acYKN+RkZMieDwM+KAVXO1Ye7+hfoXl86f12O1OBWAY9RIrqotyFJGR6/wFACaOVT/9hs9x2M0lQd1T7iMNlWweXtA/ZgerG+q3/IjPNXLoHUBW7SU+uhH3bXBkGYJ2+r3pLODBxtY+xwXPWukChVV0j7+6bc13DBxEbtmDIVBihtu0zxrlOOg+FNEosBVf8cB9bU/IJmDZDIBQQYQhVJh75Gx0FhqcOdsesQv6J+hQ6FeE2j/ZoAZPUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAOAu4XVSJtTtCdHSyBxSu1cXOIQK6CQAmN8ximibI3/C7zxJ92//6QmzYFiDASF46KYeeDRaOg7aVGCnxOMDr6qFDY62mnA/cI8zCWpFB89cSDj9sd4Nxpv1taQi9jADDutHLk0OdqUPS0GeULpQczdJ9ilqwrZlPkRMIamzUq7UXH/CnG7V2yv1BqDU1Pu5Z+LPmEXR8DVbmGJCUwepUbvJsfU3UTjCM/4MLpolbtoPbVJprsm4gWXRSEC2MKYOSy5+Oer3cZ3g/RMCqX1DdnOn8uykuKEF7ve0z65F1bGHAkS4dK3t10QrUzsUk+hBGMDO3mVKH1jI/4GM9iIT57+Ubue+ih6nn9KrQk8JY+D52C70zhqC0bqI6oyBfMC3oXSLBeZrF74cKP9bUZs0OXaHdsNHGxg3TR2rU4ThzbJd3tu/jLL3UPnNdSUQJDJuVh6A8WkKFIoZ+448qCKdyid6lkHP6MqHLCNcWj0x/y+5BP1iN8o8BIjQjXKa2ls9KzVZZj9CI+rGJ0vicORvgD+CEdEAKgXqEj/SxIL/jBs7bHclxVUz1Lz5GLNtAdh7jbxZS2hB2anGKzc7sb29jw2ZooVvJ5wSuz95QRYFlpqufvvWtuwbD87c64yM6yqof7V7uLkltx2g6VlTxUnx2XZB5YHsLt+p2FYOuTVyYpcU=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIIFzjCCA7YCCQDxXP/Xc4ZwNzANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vcnRoIEhvbGxhbmQxEjAQBgNVBAcMCUFtc3RlcmRhbTExMC8GA1UECgwoUmVjcnVpdGVlIEIuVi4gKENvbXBhbnkgbnVtYmVyIDYzODgxODI5KTEWMBQGA1UECwwNcmVjcnVpdGVlLmNvbTEiMCAGA1UEAwwZU1NPIHNpZ25hdHVyZSBjZXJ0aWZpY2F0ZTAeFw0xOTAzMDgxNDQ1NDZaFw0yOTAzMDUxNDQ1NDZaMIGoMQswCQYDVQQGEwJOTDEWMBQGA1UECAwNTm9ydGggSG9sbGFuZDESMBAGA1UEBwwJQW1zdGVyZGFtMTEwLwYDVQQKDChSZWNydWl0ZWUgQi5WLiAoQ29tcGFueSBudW1iZXIgNjM4ODE4MjkpMRYwFAYDVQQLDA1yZWNydWl0ZWUuY29tMSIwIAYDVQQDDBlTU08gc2lnbmF0dXJlIGNlcnRpZmljYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpFSMWM3/uTOlJ6ghrLlfx8ng1mZ/3kO0YHr+lyswE47hEhgAaiW42CdaGZUlhzPtMYRtHbZ73bCQRRRmqf2PrsxS79fcHxgyS0fElshClnozXLIelM5m+PIJkXH3wh+7O1iyb1ZVh7pyI4Jq8NurogLXe3Jh8PQC/l8tLfCOjuh8chRGDtn88fwntVSPK4es52JC8C2BY121U8y1eda7vRvf5agso97KhjMGdTQ3W5XNNBQKOjoJPFa+e39OWCER5BgpzDvSJkXtl4lA2CVizzjCGldaMAB2m9nWKNGCspWFUNWvd2ozPO2iUUiBfMoPBXzfYoDUoonqznGN7nyY0bGjXJydmi3w5srApET5uvW0q4ygBuzUhfDX3M4hmPxiKdMFeyF7W+DiTKg6NGXByrdUTs9djd0dNuMFZXtM96V9KnH0E+acYKN+RkZMieDwM+KAVXO1Ye7+hfoXl86f12O1OBWAY9RIrqotyFJGR6/wFACaOVT/9hs9x2M0lQd1T7iMNlWweXtA/ZgerG+q3/IjPNXLoHUBW7SU+uhH3bXBkGYJ2+r3pLODBxtY+xwXPWukChVV0j7+6bc13DBxEbtmDIVBihtu0zxrlOOg+FNEosBVf8cB9bU/IJmDZDIBQQYQhVJh75Gx0FhqcOdsesQv6J+hQ6FeE2j/ZoAZPUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAOAu4XVSJtTtCdHSyBxSu1cXOIQK6CQAmN8ximibI3/C7zxJ92//6QmzYFiDASF46KYeeDRaOg7aVGCnxOMDr6qFDY62mnA/cI8zCWpFB89cSDj9sd4Nxpv1taQi9jADDutHLk0OdqUPS0GeULpQczdJ9ilqwrZlPkRMIamzUq7UXH/CnG7V2yv1BqDU1Pu5Z+LPmEXR8DVbmGJCUwepUbvJsfU3UTjCM/4MLpolbtoPbVJprsm4gWXRSEC2MKYOSy5+Oer3cZ3g/RMCqX1DdnOn8uykuKEF7ve0z65F1bGHAkS4dK3t10QrUzsUk+hBGMDO3mVKH1jI/4GM9iIT57+Ubue+ih6nn9KrQk8JY+D52C70zhqC0bqI6oyBfMC3oXSLBeZrF74cKP9bUZs0OXaHdsNHGxg3TR2rU4ThzbJd3tu/jLL3UPnNdSUQJDJuVh6A8WkKFIoZ+448qCKdyid6lkHP6MqHLCNcWj0x/y+5BP1iN8o8BIjQjXKa2ls9KzVZZj9CI+rGJ0vicORvgD+CEdEAKgXqEj/SxIL/jBs7bHclxVUz1Lz5GLNtAdh7jbxZS2hB2anGKzc7sb29jw2ZooVvJ5wSuz95QRYFlpqufvvWtuwbD87c64yM6yqof7V7uLkltx2g6VlTxUnx2XZB5YHsLt+p2FYOuTVyYpcU=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIIFzjCCA7YCCQDxXP/Xc4ZwNzANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vcnRoIEhvbGxhbmQxEjAQBgNVBAcMCUFtc3RlcmRhbTExMC8GA1UECgwoUmVjcnVpdGVlIEIuVi4gKENvbXBhbnkgbnVtYmVyIDYzODgxODI5KTEWMBQGA1UECwwNcmVjcnVpdGVlLmNvbTEiMCAGA1UEAwwZU1NPIHNpZ25hdHVyZSBjZXJ0aWZpY2F0ZTAeFw0xOTAzMDgxNDQ1NDZaFw0yOTAzMDUxNDQ1NDZaMIGoMQswCQYDVQQGEwJOTDEWMBQGA1UECAwNTm9ydGggSG9sbGFuZDESMBAGA1UEBwwJQW1zdGVyZGFtMTEwLwYDVQQKDChSZWNydWl0ZWUgQi5WLiAoQ29tcGFueSBudW1iZXIgNjM4ODE4MjkpMRYwFAYDVQQLDA1yZWNydWl0ZWUuY29tMSIwIAYDVQQDDBlTU08gc2lnbmF0dXJlIGNlcnRpZmljYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpFSMWM3/uTOlJ6ghrLlfx8ng1mZ/3kO0YHr+lyswE47hEhgAaiW42CdaGZUlhzPtMYRtHbZ73bCQRRRmqf2PrsxS79fcHxgyS0fElshClnozXLIelM5m+PIJkXH3wh+7O1iyb1ZVh7pyI4Jq8NurogLXe3Jh8PQC/l8tLfCOjuh8chRGDtn88fwntVSPK4es52JC8C2BY121U8y1eda7vRvf5agso97KhjMGdTQ3W5XNNBQKOjoJPFa+e39OWCER5BgpzDvSJkXtl4lA2CVizzjCGldaMAB2m9nWKNGCspWFUNWvd2ozPO2iUUiBfMoPBXzfYoDUoonqznGN7nyY0bGjXJydmi3w5srApET5uvW0q4ygBuzUhfDX3M4hmPxiKdMFeyF7W+DiTKg6NGXByrdUTs9djd0dNuMFZXtM96V9KnH0E+acYKN+RkZMieDwM+KAVXO1Ye7+hfoXl86f12O1OBWAY9RIrqotyFJGR6/wFACaOVT/9hs9x2M0lQd1T7iMNlWweXtA/ZgerG+q3/IjPNXLoHUBW7SU+uhH3bXBkGYJ2+r3pLODBxtY+xwXPWukChVV0j7+6bc13DBxEbtmDIVBihtu0zxrlOOg+FNEosBVf8cB9bU/IJmDZDIBQQYQhVJh75Gx0FhqcOdsesQv6J+hQ6FeE2j/ZoAZPUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAOAu4XVSJtTtCdHSyBxSu1cXOIQK6CQAmN8ximibI3/C7zxJ92//6QmzYFiDASF46KYeeDRaOg7aVGCnxOMDr6qFDY62mnA/cI8zCWpFB89cSDj9sd4Nxpv1taQi9jADDutHLk0OdqUPS0GeULpQczdJ9ilqwrZlPkRMIamzUq7UXH/CnG7V2yv1BqDU1Pu5Z+LPmEXR8DVbmGJCUwepUbvJsfU3UTjCM/4MLpolbtoPbVJprsm4gWXRSEC2MKYOSy5+Oer3cZ3g/RMCqX1DdnOn8uykuKEF7ve0z65F1bGHAkS4dK3t10QrUzsUk+hBGMDO3mVKH1jI/4GM9iIT57+Ubue+ih6nn9KrQk8JY+D52C70zhqC0bqI6oyBfMC3oXSLBeZrF74cKP9bUZs0OXaHdsNHGxg3TR2rU4ThzbJd3tu/jLL3UPnNdSUQJDJuVh6A8WkKFIoZ+448qCKdyid6lkHP6MqHLCNcWj0x/y+5BP1iN8o8BIjQjXKa2ls9KzVZZj9CI+rGJ0vicORvgD+CEdEAKgXqEj/SxIL/jBs7bHclxVUz1Lz5GLNtAdh7jbxZS2hB2anGKzc7sb29jw2ZooVvJ5wSuz95QRYFlpqufvvWtuwbD87c64yM6yqof7V7uLkltx2g6VlTxUnx2XZB5YHsLt+p2FYOuTVyYpcU=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://auth.recruitee.com/sso/sp/logout/institutminestelecom"/>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://auth.recruitee.com/sso/sp/logout/institutminestelecom"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://auth.recruitee.com/sso/sp/consume/institutminestelecom"
index="0" isDefault="true"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://auth.recruitee.com/sso/sp/consume/institutminestelecom"
index="1"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Recruitee</md:OrganizationName>
<md:OrganizationDisplayName
xml:lang="en">Recruitee</md:OrganizationDisplayName>
<md:OrganizationURL
xml:lang="en">https://recruitee.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:SurName>Recruitee Support</md:SurName>
<md:EmailAddress>support at recruitee.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
More information about the users
mailing list