I am having a bit of trouble signing the following saml message:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://sp/sso/assert" ID="id-qOKj7lEjHF9LLlTjt" InResponseTo="_cd59dfa2245177f214bfc5252c873e702ad29640c3" IssueInstant="2018-07-06T07:34:48Z" Version="2.0">
<saml2:Issuer>http://myidp/sso</saml2:Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_50247aab9621ee91aaca836e20de20dc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA.....</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-RytehFWT2t5Bem6UH" IssueInstant="2018-07-06T07:34:48Z" Version="2.0">
<saml2:Issuer>http://myidp/sso</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test#test.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_cd59dfa2245177f214bfc5252c873e702ad29640c3" NotOnOrAfter="2018-07-06T07:34:48Z" Recipient="https://sp/assert"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-07-06T07:34:48Z" NotOnOrAfter="2018-07-08T08:52:24.242Z">
<saml2:AudienceRestriction>
<saml2:Audience>test_audience</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-07-06T07:34:48Z" SessionIndex="_72c6639cdbf65c0b2eed63847990b13a">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Whenever I launch the command to sign using xmlsec1, I get the following message:
Error: failed to find default node with name="Signature"
Error: failed to load template "/tmp/test.xml"
Error: failed to sign file "/tmp/test.xml"
As you can see in my SAML message, I already have a Signature tag, and I checked that my XML is valid, so I am a bit stuck right now. Can anyone locate my problem?
It turns out I was missing the signature node in the Assertion part of the message, you need to have both if you want to sign the message AND the assertion.
Related
I am figuring out the way to use a third party identity provider for apex SSO authentication. Almost i am done with help of SAML SSO
Here is my metadata file by identity provider
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="u2ecyBkedSUsxVldsmYW27kONOp" cacheDuration="PT1440M" entityID="ps.trivadis.com">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#u2ecyBkedSUsxVldsmYW27kONOp">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Q0tFZzytRiz4POfzapmQCAOYMGdQ4s62D8U2K7YMP4Y=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
F+/8hUvaF+gqud3lt6Ua2BIPcrgdlMyMlghBwQ56yy0mcYv7fkxYlDys/8Ae7Lc6o05aGWesg0/m AeyJXZRwDOjuoeNPKvEK63J2xcPpJthN2XVyVdnfb5owAUuwSjysvMFLl8PQyN2Zoe6iOPXsPEJD PTQ7L2JRcM+WkgPGqxa/I8A4A+odK7BLSy4yVIzkrV3XD7NnQ0uiy7BbyFsPla+LGY08mwwAQhT9 Fe5Om4dWduckDP01JO8PJmdbELwkI5XmtQEsZoPbJsZ4AcjNJjX+5Uzm+CQep1BaxtU7xWisHrhh qd2JC76CJX5FMuyAnCaSqY5WHdBZ9CS0RaA5Fg==
</ds:SignatureValue>
</ds:Signature>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIC/DCCAeSgAwIBAgIGAW1jcutSMA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNVBAYTAkNIMRQwEgYDVQQKEwtUcml2YWRpcyBBRzEaMBgGA1UEAxMRZnMtdGVzdC52ZXJ0dW0uY2gwHhcNMTkwOTI0MTMyNTM4WhcNMjkwOTIxMTMyNTM4WjA/MQswCQYDVQQGEwJDSDEUMBIGA1UEChMLVHJpdmFkaXMgQUcxGjAYBgNVBAMTEWZzLXRlc3QudmVydHVtLmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiwEI+qomPi0q8KCh6dLvmdZTbbN/R2uGaUgLZ7AgC/zYpEo1yX6FOpkZi2FK8x55B04NSWAVyF6YxPS2365Bm9aiWXdBLhs6mJJ46SjmuhTEPKWGL2lX7mPDamD5RR7FgNzj6ZM6f7S0Rl2jBoYt8eonYqbD+BcPX2F8YDlUWQfEuAdet7U+IZuE96r885QJS3Fx4CZ1/+IUk9kbKg9BZTutaz30TxGYQ5yC0GGFylMT4YbUA9SRiHeyOZdIiV0c6IzMF50d2VbBd+zcJdfF4Vi0je+G+TdvObJ0B14SVPyXwjBWRXuWsaY9BLIiHJD+DHAafcWpBb4SJWk+QfIVWQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAZBV9Hlfc3YrY/uCMelb+P8wVbnJbhONkTZsI+775FT+mk1cGZMEyUoItcwZg3eFOKWtykpujCPYoqandCvDu0Me6BLDCtUTx+KZrbwJ/xJyKVqWay53hrkcJHGzAv1ZJ5GtIcPpQCH9EYDC6GcmFSYaiJcNHB+TKtgxjyXTvDzuU1v4qsLQQVC0qlKUbyErYvdv7doqn7MnIMTYafJDZwiPh6phXZTswjN47Fkj32Ekt0zOC2oX4uEPTBxk6zCGIIcLsr3Sbns8kbHRcMWRaGUo8wryCDM99HBuwU+QArAqYGEsgZ3sEmEmICeshM/I5jkUHIj/Y+FVgdJqHo35iy
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fs.trivadis.com/idp/SSO.saml2"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fs.trivadis.com/idp/SSO.saml2"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="userPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="SAML_NAME_FORMAT" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative"/>
</md:EntityDescriptor>
i have follwed the simple steps as mention in the above link . but still i am not succeeded or actually logged into the apex via third party identity provider. Please let me know if you want to know some additional info about this setup i will share.
Your link doesn't work for me...not sure what you're trying to set up.
We have SAML2 authentication working with Apex via mod_auth_mellon for Apache (which just went out of support by the creator, but is still in most repos). Set it up to do SAML2 authentication and set an HTTP header with the username, and have Apex Authentication Scheme check the same header to pull in the username. Works well.
saml20.implementation.SAMLFeedbackException: The response from the identity provider is not valid.
Trying to configure SAML2.0 using WSO2 5.4.1 Identity Server
Here is the Metadata file from WSO2 IS.
<?xml version="1.0" encoding="UTF-8"?><EntityDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="localhost">
<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
validUntil="2018-02-28T06:02:51.018Z"><KeyDescriptor use="signing"><KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data>
<X509Certificate>
MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhki....WCCq4ZuXl6wVsUz1iE61suO5yWi8=
</X509Certificate></X509Data></KeyInfo></KeyDescriptor><SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/samlsso"
ResponseLocation="https://localhost:9443/samlsso"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</NameIDFormat><SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/samlsso"/><SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/samlsso"/></IDPSSODescriptor>
</EntityDescriptor>
Below file is SP generated from SAML
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor entityID="http://localhost:7337/"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDNjCCAh6gAwIBAgI....7YzPhQmQo7pVpn1YLvlNk
IJyZ9RkmZyI+h6ayztkOgc+scflN/j2fdDOufg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect" Location="http://localhost:7337/SSO/logout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
POST" Location="http://localhost:7337/SSO/logout"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:7337/SSO/assertion" index="1"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://localhost:7337/SSO/assertion" index="2"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">NNN</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">NNN</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">www.xyz.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="administrative">
<md:GivenName>Test</md:GivenName>
<md:SurName>K</md:SurName>
<md:EmailAddress>test.k#gmail.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
When I am running application it is redirecting me to wso2 login page. After giving username and password and on click on Login button I'm getting this error.
Finally I got it after lot of struggle and working properly.
I was missing a check box to check under SAML2 Web SSO Configuration, see the image below
I created a flow that has an input of a csv file, then uses DataWeave to transform to JSON and then loops through each records and logs the payload - simple, works fine.
I then created the following MUnit using the getResources method of the Mock component; however, when I run the MUnit test, I get the following error:
ERROR:
ERROR 2015-12-06 15:25:48,613 [main]
org.mule.exception.DefaultMessagingExceptionStrategy:
********************************************************************************
Message : Cannot process event as "getCSVAccountsFlow" is
stopped
Code : MULE_ERROR-166
--------------------------------------------------------------------------------
Exception stack is:
1. Cannot process event as "getCSVAccountsFlow" is stopped
(org.mule.api.lifecycle.LifecycleException)
org.mule.construct.AbstractPipeline$ProcessIfPipelineStartedMessageProcessor:440
(http://www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/lifecycle/Lifecy
cleException.html)
--------------------------------------------------------------------------------
Root Exception stack trace:
org.mule.api.lifecycle.LifecycleException: Cannot process event as "getCSVAccountsFlow" is stopped
at org.mule.construct.AbstractPipeline$ProcessIfPipelineStartedMessageProcessor.handleUnaccepted(AbstractPipeline.java:440)
at org.mule.processor.AbstractFilteringMessageProcessor.process(AbstractFilteringMessageProcessor.java:45)
at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
+ 3 more (set debug level logging or '-Dmule.verbose.exceptions=true' for everything)
********************************************************************************
MUnit Test:
<mule xmlns:mock="http://www.mulesoft.org/schema/mule/mock" xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:munit="http://www.mulesoft.org/schema/mule/munit" xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:core="http://www.mulesoft.org/schema/mule/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/mock
http://www.mulesoft.org/schema/mule/mock/current/mule-mock.xsd
http://www.mulesoft.org/schema/mule/munit
http://www.mulesoft.org/schema/mule/munit/current/mule-munit.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core
http://www.mulesoft.org/schema/mule/core/current/mule.xsd">
<munit:config name="munit" doc:name="MUnit configuration" />
<spring:beans>
<spring:import resource="classpath:accounts.xml" />
</spring:beans>
<munit:test name="accounts-getCSVAccountsFlowTest"
description="Test">
<mock:when messageProcessor="File" doc:name="File Input"
doc:description="Mocks the File processor that accepts a csv file">
<mock:then-return
payload="#[getResource('input/accounts.csv').asByteArray()]" />
</mock:when>
<flow-ref name="getCSVAccountsFlow" doc:name="Flow-ref to getCSVAccountsFlow" />
<munit:assert-not-null doc:name="Assert Not Null Payload" />
</munit:test>
</mule>
FLOW:
<flow name="getCSVAccountsFlow" initialState="stopped">
<file:inbound-endpoint path="src/main/resources/input"
moveToDirectory="src/main/resources/output" responseTimeout="10000"
doc:name="File">
<file:filename-regex-filter pattern=".*csv"
caseSensitive="false" />
</file:inbound-endpoint>
<dw:transform-message metadata:id="6b5dfac1-0410-40c4-b920-d7fdcd60333c" doc:name="Transform Message">
<dw:set-payload><![CDATA[%dw 1.0
%output application/java
---
payload map ((value , index) -> {
Name: value.Name,
BillingStreet: value.BillingStreet,
BillingCity: value.BillingCity,
BillingState: value.BillingState,
BillingPostalCode: value.BillingPostalCode,
BillingCountry: value.BillingCountry
})]]></dw:set-payload>
</dw:transform-message>
<foreach doc:name="For Each">
<logger message="#[payload]" level="DEBUG" doc:name="Logger" />
</foreach>
<logger message="#[payload]" level="DEBUG" doc:name="Logger" />
</flow>
MUnit test fails because the Flow's Initial State is stopped.
<flow name="getCSVAccountsFlow" initialState="stopped">
Set it to empty by:
Select your flow and open its properties
Inside Flow Configuration section, set Initial State to -- Empty --
Re-run MUnit test
I am submitting a SAMLRequest from an HTML form to ADFS. Upon sending the request, I got a form that asks for Username and Password. When I give valid Username and Password and submit the form, it prompts me with the following error:
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and
provide the reference number to identify the problem.
**Reference number**: 5881826a-80a1-4e00-8baa-c477c2348ef1
Here is SAMLRequest:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
AssertionConsumerServiceURL="http://www.someurl.com"
ForceAuthn="false" IsPassive="false"
IssueInstant="2015-04-09T11:17:43.273Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.abc.com/adfs</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds saml samlp" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>eOh4k4OqoVnNCoCMpKTgqILoLGw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
IvxweY9qkKKy5FrhHn08S2Q0KFeBR26t7N5/nbUXJEyVRpK8UopEnYT361pq5udgTaw3OMpoTIGg
bNLzSVYu91q12XOPTXyyx2UP6yfDq3lgD+5w71t6ziNTXgQuFhr8a2G97p83xOLF5f3l8MrGSjpL
Y7tVBKESAGw+klqVjotM1p5QvB51YVhNkvAy5Fw2jvZVTmjahRg/4wjDplbU1rdHiZ4mumyh5NZT
BwNCx/003ba7jaKEjTze0UG1wb4qtI63P1/7hqWVLGHrArG46Q2qPpiwBNCOpxOlgXOeU/mfOjQG
hMcDv5+3AllzdlrPoQE90WItScPG4yzu8eiYSQ==
</ds:SignatureValue>
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Here is the Stack Trace I got from ADFS Event Log:
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 4/7/2015 10:36:41 AM
Event ID: 364
Task Category: None
Level: Error
Keywords: AD FS
User: LTI\sa-adfs
Computer: SOMESERVER.ADMIN.LES.LOCAL
Description:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
<EventID>364</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2015-04-07T14:36:41.375618200Z" />
<EventRecordID>7999</EventRecordID>
<Correlation ActivityID="{4501AAAF-E56D-4553-A6C9-27AC5190A0EA}" />
<Execution ProcessID="4956" ThreadID="2756" />
<Channel>AD FS 2.0/Admin</Channel>
<Computer>250ADFS1.ADMIN.LES.LOCAL</Computer>
<Security UserID="S-1-5-21-2101114347-22087826-926709054-84784" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
</Data>
</EventData>
</Event>
</UserData>
</Event>
Is this error due to something missing in SAMLRequest, or It is the ADFS side issue. How to track down this issue and what can be possible reasons that cause this error.
One possible reason is that the request was asking for a Transient NameId. You can check if Relying party trust for that SP has a NameId claim rule to issue a correct one as described in http://blog.auth360.net/2012/09/02/adfs-as-an-identity-provider-and-saml-2-0-saas-application-integration/
I am really having a hard time finding a tutorial that can validate an xml signature using cxf.
I have a signed xml request like this: (NOTE: Signature value, digest value and X509 certificates are dummy values)
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ns="http://namespaces.gsma.org/esim-messaging/1">
<soap:Header/>
<soap:Body>
<ns:Request>
<ns:ParentNode>
<ns:TobeSignedInfo>
<ns:id>010203</ns:id>
<ns:oid>1.3.6.1.4.1.31746</ns:oid>
</ns:TobeSignedInfo>
<ns:SampleAdditionalProperties>
<ns:Property key="myProperty" value="aValue"/>
</ns:SampleAdditionalProperties>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>rE7suDc1EdUOJx6auQsTp8kGfZEe+pq2zaDvsKDMc/A=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
NXwOjw6ZT3NJRGqOluY8lF5/dkrTE89OjgB3z+kI4qmnTka0/hU6y9uihiRsrP+BZAMowhbwnPfy
ThEmTvMr0GGVB/w2pp0635Y8R672KNxZf2j48yFuz6ksyC5eBXVRAEswAt9lRh2ikcC9sULzLnSr
eA6rHNWiEm5v8OH708uZ/GWq4NlxQc8oLkrR634OY53ghPr2K+84vN99yxtGzYDHlTEFFJAyTqif
aUjYEQqcszKcbvf/XvriNcjHlk3kM8AwaQMePngxJatY3rlYWbykZhmwdqBgWrknRkjr5GAWVPEU
Q3aRlfbRYi66LV0UeGrzkinV2z5pwmBNxqc9GNnWMsvq0sWyF0BLSDY7yIz4HZVaeySytmZC21fI
PktCIfv+NRmOtFznkg3utX27Iwmc4kYGfeBXxmPMLOIkhf3dItOtV/8KNA4jW5dJNxnOEXiVXEV+
FJZbeAIet4wBvAfQb6QXcrfuwBp2kCmoYtmObH5Y+AgEf5KxPiGb1kLX
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIExDCCAywCCQC0bmU6MB8PuTANBgkqhkiG9w0BAQUFADCBozELMAkGA1UEBhMCUEgxEDAOBgNV
BAgTB0J1ZW5kaWExDzANBgNVBAcTBk1ha2F0aTEeMBwGA1UEChMVT2JlcnRodXIgVGVjaG5vbG9n
aWVzMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2ZWxvcG1lbnQxCzAJBgNVBAMTAk9UMSEwHwYJ
KoZIhvcNAQkBFhJlbWFpbEBvYmVydGh1ci5jb20wHhcNMTQxMDI1MDgzMzE5WhcNMTUxMDI1MDgz
MzE5WjCBozELMAkGA1UEBhMCUEgxEDAOBgNVBAgTB0J1ZW5kaWExDzANBgNVBAcTBk1ha2F0aTEe
MBwGA1UEChMVT2JlcnRodXIgVGVjaG5vbG9naWVzMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2
ZWxvcG1lbnQxCzAJBgNVBAMTAk9UMSEwHwYJKoZIhvcNAQkBFhJlbWFpbEBvYmVydGh1ci5jb20w
ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDEaJeQaBruoMMG5LEdLc6D4aQq/4IXc6tk
kbEyO+2o3Ey3dU/WFSS7DNy86DKPWTG0VKinpFinwic+Be+A36K/eei8wyyv2YuhI1UuKWPsvmkV
mb/klra899jKvid1Jd0oMG8ViQGkpveYdoAfg5IR9k2NSgV1cn3ab26CmwwIpbDuPcMhW0bEXxG+
El67hrLQqpDjIuWRpbxs5prBdG4V79NrR6Pu1goLq9FmHsmKujPAu1gSnNmx61rab8zzVcEG19Fd
huG7ysilzDSeo2YTKs7Lzwp4Zu94T+IJYHYrV4iiB4jVLO7IQCUKB3T4y+9VYHI1fhasRGB1t8eR
CScsKg8IvtMMwjvKv4XK0EdBaLADzvpRVGAiV1hlo3sJ+D+tr/gkJ/ElVjC/90gIVxESwg5XQtPG
kQImde6GDZquEcT5URyvkq/WuMu+3J4NUSMpHDXeel2R8UkiSXs5ONxRyT3Ai3IjXUFhO9EGjFpe
eM1gqSYx3l6DyPSBF1rKHmkCAwEAATANBgkqhkiG9w0BAQUFAAOCAYEAaDkvLk/tzIMJA/3q2zJL
M+N5cPc+OVG8kPJK3aMInXciZRrY+uSyTflVaOpJJu038fN07kMzQePDyRJQENOZK0JsDz2bX1h5
6Z03b34/UdgFR5z3NC++iQNbBFaXjsfcAo45UgEgn7wPdqXQ8bdViHakmCMG43vPzLgp2ZSK0GMt
Pt1Q2qnbWz04Gkjog284RZZ4mpxSA3g8sVypoDTjw3HJhNRCPjq+tTXkOqWK4nNJH5tbwqq9uUjJ
6nTISN5WJ3OIvdLejPNmjMBBcaGVmFkGIBqlfyMZ+SuJiqMJfW/Ccqf640U3tyZDJNeTxMmaqerE
mnihf+sIdPf2RfwbdBPiHdLmmU65yi89b6Bz
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</ns:ParentNode>
</ns:Request>
</soap:Body>
</soap:Envelope>
How can I validate signature using cxf? I saw an implementation of WSPolicy and WSS4JInterceptors and it think it is not fit for this situation because the request doesn't have <wsse:Security> tag. Any thoughts are very much welcome.. Thanks in advance
The WS-Security standard mandates that XML Signature must be in the security header of the request (and not in the SOAP Body as per your example). So your best bet is to grab the SOAP Body (e.g. in a SOAP Handler), and use the Apache Santuario API to validate the signature yourself. Here is some sample code that shows you how to do the latter:
https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureDOMTest.java
Colm.