Picketlink SP errors out during signature validation on a Signed + Encrypted SAML token
sheetul Mar 30, 2015 11:45 AMHi,
I am trying to consume a Signed + Encrypted SAML token from ADFS on JBoss-EAP 6.3 using Picketlink version 2.7. The token is decrypted correctly but during the next step of signature validation following error is generated:
ERROR [org.picketlink.common] (http-/0.0.0.0:8443-1) Error validating signature:: java.lang.RuntimeException: PL00092: Null Value:Cannot find Signature element
at org.picketlink.common.DefaultPicketLinkLogger.nullValueError(DefaultPicketLinkLogger.java:205)
at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:498) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:309) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:142) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:88) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:62) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:88) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:503) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:481) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:342) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:269) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_71]
On debugging I found that the decrypted assertion has all the necessary information for signature validation but the SAML2SignatureValidationHandler is not working with that decrypted assertion instead it is still trying to use the original encrypted SAML token. I am wondering if there is some setting on the SP side that I need to change for the handler chain to work correctly or I am running into a bug. I am enclosing the picketlink.xml for reference.
Thanks.
-
picketlink.xml.zip 731 bytes