Why does enabling the SAML2SignatureGenerationHandler in IDP configuration cause signature validation to fail on the SP in JBoss?

Solution Verified - Updated -

Issue

When I configure the SAML2SignatureGenerationHandler in the IDP configuration, the following exception is logged on the ServiceProvider (SP) and the authentication fails on the SP:

10:17:07,219 TRACE [org.picketlink.common] (http-/127.0.0.1:8080-2) HTTP method for validating response: POST
10:17:07,223 TRACE [org.picketlink.common] (http-/127.0.0.1:8080-2) Signature validation status: true
10:17:07,223 TRACE [org.picketlink.common] (http-/127.0.0.1:8080-2) [Ref id=null:uri=#ID_d53a520c-b757-4c3f-9922-59e6090215b7]validity status:false
10:17:07,223 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-2) Service Provider could not handle the request.: org.picketlink.common.exceptions.ProcessingException: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.constructSignatureException(SAML2SignatureValidationHandler.java:157) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:104) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:57) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:101) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:488) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:467) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:338) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:266) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
Caused by: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed
    at org.picketlink.common.DefaultPicketLinkLogger.samlHandlerSignatureValidationFailed(DefaultPicketLinkLogger.java:1578)
    ... 20 more

The IDP's picketlink.xml file looks like the following:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
    <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true" Encrypt="true">
        <IdentityURL>${idp-sig.url::http://localhost:8080/idp-sig/}</IdentityURL>
        <Trust>
            <Domains>localhost,jboss.com,jboss.org,redhat.com,amazonaws.com</Domains>
        </Trust>
        <KeyProvider
            ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
            <Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
            <Auth Key="KeyStorePass" Value="store123" />
            <Auth Key="SigningKeyPass" Value="test123" />
            <Auth Key="SigningKeyAlias" Value="servercert" />
            <ValidatingAlias Key="localhost" Value="servercert" />
            <ValidatingAlias Key="127.0.0.1" Value="servercert" />
        </KeyProvider>
    </PicketLinkIDP>
    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2EncryptionHandler" />
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
    </Handlers>
</PicketLink>

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.x
  • PicketLink
    • 2.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In