1 Reply Latest reply on Apr 1, 2015 10:26 AM by sheetul

    Picketlink SP errors out during signature validation on a Signed + Encrypted SAML token

    sheetul

      Hi,

       

      I am trying to consume a Signed + Encrypted SAML token from ADFS on JBoss-EAP 6.3 using Picketlink version 2.7. The token is decrypted correctly but during the next step of signature validation following error is generated:

       

      ERROR [org.picketlink.common] (http-/0.0.0.0:8443-1) Error validating signature:: java.lang.RuntimeException: PL00092: Null Value:Cannot find Signature element

        at org.picketlink.common.DefaultPicketLinkLogger.nullValueError(DefaultPicketLinkLogger.java:205)

      at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:498) [picketlink-federation-2.7.0.CR3.jar:]

        at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:309) [picketlink-federation-2.7.0.CR3.jar:]

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:142) [picketlink-federation-2.7.0.CR3.jar:]

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:88) [picketlink-federation-2.7.0.CR3.jar:]

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:62) [picketlink-federation-2.7.0.CR3.jar:]

        at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.7.0.CR3.jar:]

        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-federation-2.7.0.CR3.jar:]

        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:88) [picketlink-federation-2.7.0.CR3.jar:]

        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:503) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]

        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:481) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]

        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:342) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]

        at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:269) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_71]

       

      On debugging I found that the decrypted assertion has all the necessary information for signature validation but the SAML2SignatureValidationHandler is not working with that decrypted assertion instead it is still trying to use the original encrypted SAML token. I am wondering if there is some setting on the SP side that I need to change for the handler chain to work correctly or I am running into a bug. I am enclosing the picketlink.xml for reference.

       

      Thanks.