spring security - "HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid" with Salesforce as IdP for implementating SSO -
i've implemented sso using spring saml , working fine. worked following idp's till now: 1) idp.ssocircle.com 2) openidp.feide.no
now i'm testing salesforce.com identity provider. there no provision upload service provider metadata i've done following configuration settings @ idp:
gave entityid , assertion consumer service url. uploaded sp certificate. i've downloaded metadata (idp metadata) follows (hiding sensitive information):
<?xml version="1.0" encoding="utf-8"?><md:entitydescriptor xmlns:md="urn:oasis:names:tc:saml:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityid="https://abc-dev-ed.my.salesforce.com" validuntil="2024-04-11t13:55:57.307z"> <md:idpssodescriptor wantauthnrequestssigned="true" protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <md:keydescriptor use="signing"> <ds:keyinfo> <ds:x509data> <ds:x509certificate>xxxxxxxxx</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:nameidformat>urn:oasis:names:tc:saml:1.1:nameid-format:emailaddress</md:nameidformat> <md:singlesignonservice binding="urn:oasis:names:tc:saml:2.0:bindings:http-post" location="https://abc-dev-ed.my.salesforce.com/idp/endpoint/httppost"/> <md:singlesignonservice binding="urn:oasis:names:tc:saml:2.0:bindings:http-redirect" location="https://abc-dev-ed.my.salesforce.com/idp/endpoint/httpredirect"/>
now when tried test sp, first redirected me idp(salesforce) asking credentials entered them after redirected assertion consumer service url(which sp) here exception generated saying
http status 401 - request requires http authentication(authentication failed: incoming saml message invalid).
i've tried following didn't work :( - though not necessary, i've downloaded certificate file salesforce , imported keystore.jks make sure key used signature validation.(not necessary due certificate info present in idp metadata).
here found in log file(adding necessary info after successful authnrequest):
authnrequest;success;127.0.0.1 .....started_failing_here..... attempting extract credential x509data found 1 x509certificates found 0 x509crls single certificate present, treating end-entity certificate credentials extracted child {http://www.w3.org/2000/09/xmldsig#}x509data provider org.opensaml.xml.security.keyinfo.provider.inlinex509dataprovider total of 1 credentials resolved registry not locate evaluable criteria criteria class org.opensaml.xml.security.keyinfo.keyinfocriteria attempting validate signature using key supplied credential creating xmlsignature object validating signature signature algorithm uri: http://www.w3.org/2000/09/xmldsig#rsa-sha1 validation credential key algorithm 'rsa', key instance class 'sun.security.rsa.rsapublickeyimpl' signature validated key supplied credential signature validation using candidate credential successful verified signature using keyinfo-derived credential attempting establish trust of keyinfo-derived credential failed validate untrusted credential against trusted key failed establish trust of keyinfo-derived credential failed verify signature and/or establish trust using keyinfo-derived credentials attempting verify signature using trusted credentials attempting validate signature using key supplied credential creating xmlsignature object validating signature signature algorithm uri: http://www.w3.org/2000/09/xmldsig#rsa-sha1 validation credential key algorithm 'rsa', key instance class 'sun.security.rsa.rsapublickeyimpl' signature did not validate against credential's key signature validation using candidate validation credential failed org.opensaml.xml.validation.validationexception: signature did not validate against credential's key @ org.opensaml.xml.signature.signaturevalidator.validate(signaturevalidator.java:79) @ org.opensaml.xml.signature.impl.basesignaturetrustengine.verifysignature(basesignaturetrustengine.java:142) @ org.opensaml.xml.signature.impl.explicitkeysignaturetrustengine.validate(explicitkeysignaturetrustengine.java:110) @ org.opensaml.xml.signature.impl.explicitkeysignaturetrustengine.validate(explicitkeysignaturetrustengine.java:49) @ org.opensaml.ws.security.provider.basetrustenginerule.evaluate(basetrustenginerule.java:104) @ org.opensaml.ws.security.provider.basetrustenginerule.evaluate(basetrustenginerule.java:91) @ org.opensaml.common.binding.security.samlprotocolmessagexmlsignaturesecuritypolicyrule.doevaluate(samlprotocolmessagexmlsignaturesecuritypolicyrule.java:128) @ org.opensaml.common.binding.security.samlprotocolmessagexmlsignaturesecuritypolicyrule.evaluate(samlprotocolmessagexmlsignaturesecuritypolicyrule.java:107) @ org.opensaml.ws.security.provider.basicsecuritypolicy.evaluate(basicsecuritypolicy.java:51) @ org.opensaml.ws.message.decoder.basemessagedecoder.processsecuritypolicy(basemessagedecoder.java:132) @ org.opensaml.ws.message.decoder.basemessagedecoder.decode(basemessagedecoder.java:83) @ org.opensaml.saml2.binding.decoding.basesaml2messagedecoder.decode(basesaml2messagedecoder.java:70) @ org.springframework.security.saml.processor.samlprocessorimpl.retrievemessage(samlprocessorimpl.java:105) @ org.springframework.security.saml.processor.samlprocessorimpl.retrievemessage(samlprocessorimpl.java:172) @ org.springframework.security.saml.samlprocessingfilter.attemptauthentication(samlprocessingfilter.java:77) @ org.springframework.security.web.authentication.abstractauthenticationprocessingfilter.dofilter(abstractauthenticationprocessingfilter.java:195) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.filterchainproxy.dofilterinternal(filterchainproxy.java:192) @ org.springframework.security.web.filterchainproxy.dofilter(filterchainproxy.java:166) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.context.securitycontextpersistencefilter.dofilter(securitycontextpersistencefilter.java:87) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.filterchainproxy.dofilterinternal(filterchainproxy.java:192) @ org.springframework.security.web.filterchainproxy.dofilter(filterchainproxy.java:160) @ org.springframework.web.filter.delegatingfilterproxy.invokedelegate(delegatingfilterproxy.java:346) @ org.springframework.web.filter.delegatingfilterproxy.dofilter(delegatingfilterproxy.java:259) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:243) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:210) @ org.apache.catalina.core.standardwrappervalve.invoke(standardwrappervalve.java:240) @ org.apache.catalina.core.standardcontextvalve.invoke(standardcontextvalve.java:164) @ org.apache.catalina.authenticator.authenticatorbase.invoke(authenticatorbase.java:462) @ org.apache.catalina.core.standardhostvalve.invoke(standardhostvalve.java:164) @ org.apache.catalina.valves.errorreportvalve.invoke(errorreportvalve.java:100) @ org.apache.catalina.core.standardenginevalve.invoke(standardenginevalve.java:118) @ org.apache.catalina.connector.coyoteadapter.service(coyoteadapter.java:403) @ org.apache.coyote.http11.http11processor.process(http11processor.java:301) @ org.apache.coyote.http11.http11protocol$http11connectionhandler.process(http11protocol.java:162) @ org.apache.coyote.http11.http11protocol$http11connectionhandler.process(http11protocol.java:140) @ org.apache.tomcat.util.net.jioendpoint$socketprocessor.run(jioendpoint.java:309) @ java.util.concurrent.threadpoolexecutor$worker.runtask(threadpoolexecutor.java:886) @ java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:908) @ java.lang.thread.run(thread.java:662) failed verify signature using either keyinfo-derived or directly trusted credentials validation of protocol message signature failed context issuer 'https://abc-dev-ed.my.salesforce.com', message type: {urn:oasis:names:tc:saml:2.0:protocol}response authentication request failed: org.springframework.security.authentication.authenticationserviceexception: incoming saml message invalid updated securitycontextholder contain null authentication delegating authentication failure handler org.springframework.security.web.authentication.simpleurlauthenticationfailurehandler@153a591 can please tell me going wrong looking @ above log. highly appreciated.
thanks,
abhilash
your idp using different key digital signatures defines in metadata.
you should inspect saml message received , element x509certificate inside element signature. extract content of certificate separate file, e.g. sales-force-sign.cer
you need import certificate samlkeystore.jks, can find details on how in chapter 4.5 (key management) of spring saml manual. make sure note alias import key with.
as last step need tell spring saml use newly imported key signature verifications idp, should update securitycontext.xml , update extendedmetadta idp property signingkey , value of alias used earlier import key. similar to:
<bean class="org.springframework.security.saml.metadata.extendedmetadatadelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.filesystemmetadataprovider"> <constructor-arg> <value type="java.io.file">classpath:salesforce_metadata.xml</value> </constructor-arg> <property name="parserpool" ref="parserpool"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.extendedmetadata"> <property name="signingkey" value="sf-proxy"/> </bean> </constructor-arg> </bean> again can find details on of in manual.
alternatively can add key extracted message idp metadata. manualy update xml file , add keydescriptor use="signing". might faster do.
Comments
Post a Comment