ADFS 2.0 SAMLRequest doesnt accept the request - saml-2.0

Here is my service provider metadata
Here is my service provider metadata
<?xml version="1.0"?>
<md:EntityDescriptor entityID="https://localhost:5200" validUntil="2022-08-30T19:10:29Z"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<!-- insert ds:Signature element (omitted) -->
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIID2TCCAsGgAwIBAgIUIAXntTTcs4IGVz8v8KpHAz46QfMwDQYJKoZIhvcNAQEL
BQAwfDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtZb3JiYSBM
aW5kYTEWMBQGA1UECgwNTWluZExvZ2ljIElOQzEYMBYGA1UECwwPKi5taW5kbG9n
aWMuYXBwMRgwFgYDVQQDDA8qLm1pbmRsb2dpYy5hcHAwHhcNMjEwODE3MTEyMDEw
bvDj7E3wzI80gp7uU3KqU3UNswzsgcwSkwRTGS9sKkNnS62efQXKHRtR7fBwbOqU
Y9bSXiTiSbd9zOvdVd+gGAqOqOB1o+jB55AvjtkzXhaoyBaQM1vStP7OCw0yFhNf
fOKTM7EdAzTXoV4hJtUo0CMcUTFMP8PBnMHWQ5A6jZ8iBCXStcQ5Y71YhPUxa6dh
I7rPk/j8+/qKbKyAhOSRvCiQY5xbAY12rW07WJ1JcWk7jvT7Kx4pll5Mh1G3lOcC
AwEAAaNTMFEwHQYDVR0OBBYEFN2ugfhPaQ2Gyj/5aedoNN1eriDDMB8GA1UdIwQY
MBaAFN2ugfhPaQ2Gyj/5aedoNN1eriDDMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAAqn3aU/U7PA59yjHLjFb8LzMMoAS+b9Fu0d9JNym9K1ugzf
dq/SgBS7MVrhz2bE/n3VQfnv+tjSLqQNwhyHmFy36Z43Q/BYrbofL6RSSrnozFz6
uUYkuFFeCd857OyKOxKv33wD6EE6rNZqI7wEmKov2U7RNToxHD5NmeH0lTBHmBTH
UWp/yLQkTlMZYUDfOCBxlF2+bGS1hzdXPOELN3RZNRk9M61NHyISfE7VpqIlI1Ro
x4DUK89TKDG/mLl985h+sTuPMmIMpl1ozXrJWhKucoqjSfMTh/MLQTQS1lHmeAFH
npro/M9yy1Uwrz4K93nju5kNLLZL7NRzddjHOYs=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:5200/map"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="en">Example.com Employee Portal</md:ServiceName>
<md:RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"/>
<md:RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Localtest.com Inc.</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">Localtest.com</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">https://localhos:5200/</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
Here is my SERVICE PROVIDER initiative request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-16f33a7e-4381-4d40-9fdd-1949dd679e86" Version="2.0" IssueInstant="2021-09-09T07:58:45Z " Destination="https://saml.mlads.mindlogic.app/adfs/ls/" Consent="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:5200</Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> <samlp:RequestedAuthnContext> <samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</samlp:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>
I deflated and encoded base 64 but my adfs server throws error
deflated data
nZJtS8MwEMe/Ssj7NunWPTR0g7EhDFTGFF/4LiSpC+Sh5lKc39600zGQDRECgf/l/ve7u9TArWnZqosHt1fvnYKIjtY4YENggbvgmOeggTluFbAo2NPq4Z6Ncsra4KMX3mC03SywllkxbcZjPlNZOZ4XWSlLmlWNTHpVVlJOZ5WaTzF6UQG0dwucPFIqQKe2DiJ3MUl0VGS0SueZzthkzsrJK8Jok7i043FIO8TYAiOkJ8yt4RJyq500/k2LnLct4bIBYoBgtPYOVO97rY0iLwYlwTc+WB6ZslyblZRBAeAlqge+cBrK7XFwABV6RLz8QTRecHPwENlkRGlNTmbJ9TT2x+Sx3ey80eIT3Q31/41Kzq7fe1Ry2GoaQVTHeI5eimuTmPeq+fvKL3q8+Uww0XsneZeuDx9kTa7XT3DkNjv5/U+XXw==
Error details: Found invalid data while decoding.
Note: I am triggering the url from browser
https://saml.mlads.mindlogic.app/adfs/ls?SAMLRequest=nZJtS8MwEMe/Ssj7NunWPTR0g7EhDFTGFF/4LiSpC+Sh5lKc39600zGQDRECgf/l/ve7u9TArWnZqosHt1fvnYKIjtY4YENggbvgmOeggTluFbAo2NPq4Z6Ncsra4KMX3mC03SywllkxbcZjPlNZOZ4XWSlLmlWNTHpVVlJOZ5WaTzF6UQG0dwucPFIqQKe2DiJ3MUl0VGS0SueZzthkzsrJK8Jok7i043FIO8TYAiOkJ8yt4RJyq500/k2LnLct4bIBYoBgtPYOVO97rY0iLwYlwTc+WB6ZslyblZRBAeAlqge+cBrK7XFwABV6RLz8QTRecHPwENlkRGlNTmbJ9TT2x+Sx3ey80eIT3Q31/41Kzq7fe1Ry2GoaQVTHeI5eimuTmPeq+fvKL3q8+Uww0XsneZeuDx9kTa7XT3DkNjv5/U+XXw==
ADFS error Log
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
System.IO.InvalidDataException: Found invalid data while decoding.
at System.IO.Compression.Inflater.DecodeDynamicBlockHeader()
at System.IO.Compression.Inflater.Decode()
at System.IO.Compression.Inflater.Inflate(Byte[] bytes, Int32 offset, Int32 length)
at System.IO.Compression.DeflateStream.Read(Byte[] array, Int32 offset, Int32 count)
at Microsoft.IdentityModel.Web.DeflateCookieTransform.Decode(Byte[] encoded)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.DecodeMessageInternal(String message)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
at Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)`

I forgot to encode url after I encode url it works.so the request should be = urlencode(base64encode(deflate))

Related

Business Central : Oauth2 authentication

I'm try to configure integration between Business Central on premise 19.6 with Azure AD.
User authentication work fine
But when I try the configuration for OAuth2 service to service follow the instruction
https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/automation-apis-using-s2s-authentication
I cannot connect to service.
I get the token from the
https://login.microsoftonline.com//oauth2/v2.0/token
but when i pass to Business Central api as Berear token I get the error:
"error": {
"code": "Unknown",
"message": "IDX10501: Signature validation failed. Unable to match key: \nkid: 'System.String'.\nExceptions caught:\n 'System.Text.StringBuilder'. \ntoken: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'. CorrelationId: <Guid>."
}
On the server event viewer I have the error:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-DynamicsNAV-Server" Guid="{85423fd1-c021-5a63-f214-c4819f8809f3}" />
<EventID>216</EventID>
<Version>1</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000f00000000001</Keywords>
<TimeCreated SystemTime="2022-08-29T16:17:45.774819400Z" />
<EventRecordID>437</EventRecordID>
<Correlation />
<Execution ProcessID="4064" ThreadID="5832" />
<Channel>Microsoft-DynamicsNAV-Server/Admin</Channel>
<Computer>The computer FQDN</Computer>
<Security UserID="Business Central Service User Id" />
</System>
- <EventData>
<Data Name="serverInstanceName">BC190</Data>
<Data Name="navTenantId" />
<Data Name="environmentName" />
<Data Name="environmentType" />
<Data Name="message">Type: Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException Message: IDX10501: Signature validation failed. Unable to match key: kid: 'System.String'. Exceptions caught: 'System.Text.StringBuilder'. token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'. StackTrace: at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.Dynamics.Nav.Runtime.NavJwtSecurityTokenFactory.CreateAndValidateWithAudienceList(String serializedToken, FederationMetadataProvider federationMetadataProvider, IEnumerable`1 allowedAudiences, String tokenId, NavDiagnostics diagnostics) at Microsoft.Dynamics.Nav.Service.WebServiceBearerAuthenticator.TryAuthenticateUser(String authorizationHeader, Uri requestUrl) at Microsoft.Dynamics.Nav.Service.ServiceAuthenticationHelper.AuthenticateForServiceCall(Uri uri, String authorizationValue, Func`3 createException, IEnumerable`1 bearerValidationExtensions, String userAadObjectIdToImpersonate) at Microsoft.Dynamics.Nav.Service.OwinAuthenticationHelper.AuthenticateForServiceCall(IOwinRequest request, Func`3 createException, IEnumerable`1 bearerValidationExtensions) at Microsoft.Dynamics.Nav.Service.OData.Extensions.HttpRequestMessageExtensions.Authenticate(HttpRequestMessage request) at System.Lazy`1.CreateValue() at System.Lazy`1.LazyInitValue() at Microsoft.Dynamics.Nav.Service.OData.NavServiceEnvironment.CreateNavService(NavCancellationToken cancellationToken) at Microsoft.Dynamics.Nav.Service.OData.Modeling.NavODataCachedModelBuilder`2.Build(INavServiceEnvironment serviceEnvironment) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4RouteBuilder.GetEdmModelWithLogging(IServiceProvider serviceProvider) at lambda_method(Closure , ServiceProviderEngineScope ) at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType) at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider) at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer, Boolean template) at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4PathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4RouteConstraint.Match(HttpRequestMessage request, IHttpRoute route, String parameterName, IDictionary`2 values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.ProcessConstraint(HttpRequestMessage request, Object constraint, String parameterName, HttpRouteValueDictionary values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.ProcessConstraints(HttpRequestMessage request, HttpRouteValueDictionary values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.GetRouteData(String virtualPathRoot, HttpRequestMessage request) at System.Web.Http.HttpRouteCollection.GetRouteData(HttpRequestMessage request) at System.Web.Http.Dispatcher.HttpRoutingDispatcher.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.DelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Web.Http.HttpServer.<SendAsync>d__24.MoveNext() Source: System.IdentityModel.Tokens.Jwt HResult: -2146233088 StackTrace: at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.Dynamics.Nav.Runtime.NavJwtSecurityTokenFactory.CreateAndValidateWithAudienceList(String serializedToken, FederationMetadataProvider federationMetadataProvider, IEnumerable`1 allowedAudiences, String tokenId, NavDiagnostics diagnostics) at Microsoft.Dynamics.Nav.Service.WebServiceBearerAuthenticator.TryAuthenticateUser(String authorizationHeader, Uri requestUrl) at Microsoft.Dynamics.Nav.Service.ServiceAuthenticationHelper.AuthenticateForServiceCall(Uri uri, String authorizationValue, Func`3 createException, IEnumerable`1 bearerValidationExtensions, String userAadObjectIdToImpersonate) at Microsoft.Dynamics.Nav.Service.OwinAuthenticationHelper.AuthenticateForServiceCall(IOwinRequest request, Func`3 createException, IEnumerable`1 bearerValidationExtensions) at Microsoft.Dynamics.Nav.Service.OData.Extensions.HttpRequestMessageExtensions.Authenticate(HttpRequestMessage request) at System.Lazy`1.CreateValue() at System.Lazy`1.LazyInitValue() at Microsoft.Dynamics.Nav.Service.OData.NavServiceEnvironment.CreateNavService(NavCancellationToken cancellationToken) at Microsoft.Dynamics.Nav.Service.OData.Modeling.NavODataCachedModelBuilder`2.Build(INavServiceEnvironment serviceEnvironment) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4RouteBuilder.GetEdmModelWithLogging(IServiceProvider serviceProvider) at lambda_method(Closure , ServiceProviderEngineScope ) at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType) at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider) at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer, Boolean template) at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4PathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4RouteConstraint.Match(HttpRequestMessage request, IHttpRoute route, String parameterName, IDictionary`2 values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.ProcessConstraint(HttpRequestMessage request, Object constraint, String parameterName, HttpRouteValueDictionary values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.ProcessConstraints(HttpRequestMessage request, HttpRouteValueDictionary values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.GetRouteData(String virtualPathRoot, HttpRequestMessage request) at System.Web.Http.HttpRouteCollection.GetRouteData(HttpRequestMessage request) at System.Web.Http.Dispatcher.HttpRoutingDispatcher.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.DelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Web.Http.HttpServer.<SendAsync>d__24.MoveNext()</Data>
</EventData>
</Event>
Any idea how to solve or investigate the problem ?
Thanks
Lorenzo
Trento - Italy
Had the same error today.
Finally we managed to solve this issue. We are now able to communicate with BC on Prem. It was a configuration error in our app registration. So first you have to check your requests with postman and solve these errors.
In the app registration under "Expose an API" we had to add a scope "default". Also we had to add this scope under "API Permissions". In BC we had to "grant access" under "Azure Active Directory Applications". In your request you have to set the scope to "api://YOURAPPID/"
The solution was to first make it work with postman. If you try it directly from your application you will get errors which will lead you to wrong assumptions.

xmlsec1 saml signing: failed to find default node with name="Signature"

I am having a bit of trouble signing the following saml message:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://sp/sso/assert" ID="id-qOKj7lEjHF9LLlTjt" InResponseTo="_cd59dfa2245177f214bfc5252c873e702ad29640c3" IssueInstant="2018-07-06T07:34:48Z" Version="2.0">
<saml2:Issuer>http://myidp/sso</saml2:Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_50247aab9621ee91aaca836e20de20dc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA.....</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-RytehFWT2t5Bem6UH" IssueInstant="2018-07-06T07:34:48Z" Version="2.0">
<saml2:Issuer>http://myidp/sso</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test#test.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_cd59dfa2245177f214bfc5252c873e702ad29640c3" NotOnOrAfter="2018-07-06T07:34:48Z" Recipient="https://sp/assert"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-07-06T07:34:48Z" NotOnOrAfter="2018-07-08T08:52:24.242Z">
<saml2:AudienceRestriction>
<saml2:Audience>test_audience</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-07-06T07:34:48Z" SessionIndex="_72c6639cdbf65c0b2eed63847990b13a">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Whenever I launch the command to sign using xmlsec1, I get the following message:
Error: failed to find default node with name="Signature"
Error: failed to load template "/tmp/test.xml"
Error: failed to sign file "/tmp/test.xml"
As you can see in my SAML message, I already have a Signature tag, and I checked that my XML is valid, so I am a bit stuck right now. Can anyone locate my problem?
It turns out I was missing the signature node in the Assertion part of the message, you need to have both if you want to sign the message AND the assertion.

The response from the identity provider is not valid

saml20.implementation.SAMLFeedbackException: The response from the identity provider is not valid.
Trying to configure SAML2.0 using WSO2 5.4.1 Identity Server
Here is the Metadata file from WSO2 IS.
<?xml version="1.0" encoding="UTF-8"?><EntityDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="localhost">
<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
validUntil="2018-02-28T06:02:51.018Z"><KeyDescriptor use="signing"><KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data>
<X509Certificate>
MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhki....WCCq4ZuXl6wVsUz1iE61suO5yWi8=
</X509Certificate></X509Data></KeyInfo></KeyDescriptor><SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/samlsso"
ResponseLocation="https://localhost:9443/samlsso"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</NameIDFormat><SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/samlsso"/><SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/samlsso"/></IDPSSODescriptor>
</EntityDescriptor>
Below file is SP generated from SAML
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor entityID="http://localhost:7337/"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDNjCCAh6gAwIBAgI....7YzPhQmQo7pVpn1YLvlNk
IJyZ9RkmZyI+h6ayztkOgc+scflN/j2fdDOufg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect" Location="http://localhost:7337/SSO/logout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
POST" Location="http://localhost:7337/SSO/logout"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:7337/SSO/assertion" index="1"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://localhost:7337/SSO/assertion" index="2"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">NNN</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">NNN</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">www.xyz.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="administrative">
<md:GivenName>Test</md:GivenName>
<md:SurName>K</md:SurName>
<md:EmailAddress>test.k#gmail.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
When I am running application it is redirecting me to wso2 login page. After giving username and password and on click on Login button I'm getting this error.
Finally I got it after lot of struggle and working properly.
I was missing a check box to check under SAML2 Web SSO Configuration, see the image below

SAML 2.0 Request to AD FS

I am submitting a SAMLRequest from an HTML form to ADFS. Upon sending the request, I got a form that asks for Username and Password. When I give valid Username and Password and submit the form, it prompts me with the following error:
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and
provide the reference number to identify the problem.
**Reference number**: 5881826a-80a1-4e00-8baa-c477c2348ef1
Here is SAMLRequest:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
AssertionConsumerServiceURL="http://www.someurl.com"
ForceAuthn="false" IsPassive="false"
IssueInstant="2015-04-09T11:17:43.273Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.abc.com/adfs</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds saml samlp" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>eOh4k4OqoVnNCoCMpKTgqILoLGw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
IvxweY9qkKKy5FrhHn08S2Q0KFeBR26t7N5/nbUXJEyVRpK8UopEnYT361pq5udgTaw3OMpoTIGg
bNLzSVYu91q12XOPTXyyx2UP6yfDq3lgD+5w71t6ziNTXgQuFhr8a2G97p83xOLF5f3l8MrGSjpL
Y7tVBKESAGw+klqVjotM1p5QvB51YVhNkvAy5Fw2jvZVTmjahRg/4wjDplbU1rdHiZ4mumyh5NZT
BwNCx/003ba7jaKEjTze0UG1wb4qtI63P1/7hqWVLGHrArG46Q2qPpiwBNCOpxOlgXOeU/mfOjQG
hMcDv5+3AllzdlrPoQE90WItScPG4yzu8eiYSQ==
</ds:SignatureValue>
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Here is the Stack Trace I got from ADFS Event Log:
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 4/7/2015 10:36:41 AM
Event ID: 364
Task Category: None
Level: Error
Keywords: AD FS
User: LTI\sa-adfs
Computer: SOMESERVER.ADMIN.LES.LOCAL
Description:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
<EventID>364</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2015-04-07T14:36:41.375618200Z" />
<EventRecordID>7999</EventRecordID>
<Correlation ActivityID="{4501AAAF-E56D-4553-A6C9-27AC5190A0EA}" />
<Execution ProcessID="4956" ThreadID="2756" />
<Channel>AD FS 2.0/Admin</Channel>
<Computer>250ADFS1.ADMIN.LES.LOCAL</Computer>
<Security UserID="S-1-5-21-2101114347-22087826-926709054-84784" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
</Data>
</EventData>
</Event>
</UserData>
</Event>
Is this error due to something missing in SAMLRequest, or It is the ADFS side issue. How to track down this issue and what can be possible reasons that cause this error.
One possible reason is that the request was asking for a Transient NameId. You can check if Relying party trust for that SP has a NameId claim rule to issue a correct one as described in http://blog.auth360.net/2012/09/02/adfs-as-an-identity-provider-and-saml-2-0-saas-application-integration/

How to verify XML Signature using CXF/JAXWS?

I am really having a hard time finding a tutorial that can validate an xml signature using cxf.
I have a signed xml request like this: (NOTE: Signature value, digest value and X509 certificates are dummy values)
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ns="http://namespaces.gsma.org/esim-messaging/1">
<soap:Header/>
<soap:Body>
<ns:Request>
<ns:ParentNode>
<ns:TobeSignedInfo>
<ns:id>010203</ns:id>
<ns:oid>1.3.6.1.4.1.31746</ns:oid>
</ns:TobeSignedInfo>
<ns:SampleAdditionalProperties>
<ns:Property key="myProperty" value="aValue"/>
</ns:SampleAdditionalProperties>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>rE7suDc1EdUOJx6auQsTp8kGfZEe+pq2zaDvsKDMc/A=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
NXwOjw6ZT3NJRGqOluY8lF5/dkrTE89OjgB3z+kI4qmnTka0/hU6y9uihiRsrP+BZAMowhbwnPfy
ThEmTvMr0GGVB/w2pp0635Y8R672KNxZf2j48yFuz6ksyC5eBXVRAEswAt9lRh2ikcC9sULzLnSr
eA6rHNWiEm5v8OH708uZ/GWq4NlxQc8oLkrR634OY53ghPr2K+84vN99yxtGzYDHlTEFFJAyTqif
aUjYEQqcszKcbvf/XvriNcjHlk3kM8AwaQMePngxJatY3rlYWbykZhmwdqBgWrknRkjr5GAWVPEU
Q3aRlfbRYi66LV0UeGrzkinV2z5pwmBNxqc9GNnWMsvq0sWyF0BLSDY7yIz4HZVaeySytmZC21fI
PktCIfv+NRmOtFznkg3utX27Iwmc4kYGfeBXxmPMLOIkhf3dItOtV/8KNA4jW5dJNxnOEXiVXEV+
FJZbeAIet4wBvAfQb6QXcrfuwBp2kCmoYtmObH5Y+AgEf5KxPiGb1kLX
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIExDCCAywCCQC0bmU6MB8PuTANBgkqhkiG9w0BAQUFADCBozELMAkGA1UEBhMCUEgxEDAOBgNV
BAgTB0J1ZW5kaWExDzANBgNVBAcTBk1ha2F0aTEeMBwGA1UEChMVT2JlcnRodXIgVGVjaG5vbG9n
aWVzMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2ZWxvcG1lbnQxCzAJBgNVBAMTAk9UMSEwHwYJ
KoZIhvcNAQkBFhJlbWFpbEBvYmVydGh1ci5jb20wHhcNMTQxMDI1MDgzMzE5WhcNMTUxMDI1MDgz
MzE5WjCBozELMAkGA1UEBhMCUEgxEDAOBgNVBAgTB0J1ZW5kaWExDzANBgNVBAcTBk1ha2F0aTEe
MBwGA1UEChMVT2JlcnRodXIgVGVjaG5vbG9naWVzMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2
ZWxvcG1lbnQxCzAJBgNVBAMTAk9UMSEwHwYJKoZIhvcNAQkBFhJlbWFpbEBvYmVydGh1ci5jb20w
ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDEaJeQaBruoMMG5LEdLc6D4aQq/4IXc6tk
kbEyO+2o3Ey3dU/WFSS7DNy86DKPWTG0VKinpFinwic+Be+A36K/eei8wyyv2YuhI1UuKWPsvmkV
mb/klra899jKvid1Jd0oMG8ViQGkpveYdoAfg5IR9k2NSgV1cn3ab26CmwwIpbDuPcMhW0bEXxG+
El67hrLQqpDjIuWRpbxs5prBdG4V79NrR6Pu1goLq9FmHsmKujPAu1gSnNmx61rab8zzVcEG19Fd
huG7ysilzDSeo2YTKs7Lzwp4Zu94T+IJYHYrV4iiB4jVLO7IQCUKB3T4y+9VYHI1fhasRGB1t8eR
CScsKg8IvtMMwjvKv4XK0EdBaLADzvpRVGAiV1hlo3sJ+D+tr/gkJ/ElVjC/90gIVxESwg5XQtPG
kQImde6GDZquEcT5URyvkq/WuMu+3J4NUSMpHDXeel2R8UkiSXs5ONxRyT3Ai3IjXUFhO9EGjFpe
eM1gqSYx3l6DyPSBF1rKHmkCAwEAATANBgkqhkiG9w0BAQUFAAOCAYEAaDkvLk/tzIMJA/3q2zJL
M+N5cPc+OVG8kPJK3aMInXciZRrY+uSyTflVaOpJJu038fN07kMzQePDyRJQENOZK0JsDz2bX1h5
6Z03b34/UdgFR5z3NC++iQNbBFaXjsfcAo45UgEgn7wPdqXQ8bdViHakmCMG43vPzLgp2ZSK0GMt
Pt1Q2qnbWz04Gkjog284RZZ4mpxSA3g8sVypoDTjw3HJhNRCPjq+tTXkOqWK4nNJH5tbwqq9uUjJ
6nTISN5WJ3OIvdLejPNmjMBBcaGVmFkGIBqlfyMZ+SuJiqMJfW/Ccqf640U3tyZDJNeTxMmaqerE
mnihf+sIdPf2RfwbdBPiHdLmmU65yi89b6Bz
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</ns:ParentNode>
</ns:Request>
</soap:Body>
</soap:Envelope>
How can I validate signature using cxf? I saw an implementation of WSPolicy and WSS4JInterceptors and it think it is not fit for this situation because the request doesn't have <wsse:Security> tag. Any thoughts are very much welcome.. Thanks in advance
The WS-Security standard mandates that XML Signature must be in the security header of the request (and not in the SOAP Body as per your example). So your best bet is to grab the SOAP Body (e.g. in a SOAP Handler), and use the Apache Santuario API to validate the signature yourself. Here is some sample code that shows you how to do the latter:
https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureDOMTest.java
Colm.

Resources