"Signature did not validate against the credential's key" with Junos as IdP

nocheinAndi picture nocheinAndi · Jul 16, 2014 · Viewed 9k times · Source

I've implemented SSO using Spring SAML and everything is working fine for an interaction with idp.ssocircle.com.

Now I am trying to use another identity provider. I have downloaded the metadata of the IdP and have linked it in my spring XML config. I have also uploaded the metadata of the service provider to the iDP and have linked it in the spring XML config.

I am redirected to the login page of my IdP and can successful enter my credentials. But an error like that appears "Signature did not validate against the credential's key".

There is another stackoverflow post which describes a similiar problem, see "HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid" with Salesforce as IdP for implementating SSO

But I have problems to follow the solution, because my SAML response captured by Fiddler does not contain an element like "X509Certificate".

Edit(!):But I have to say that the metadata of my identity provider contains a element like "ds:X509Certificate" in "ds:keyInfo" with some content. But there also another empty "ds:keyInfo"-Element with an empty "ds:X509Data"-Element.

Is there something wrong with the configuration of the identity provider?

Can anybody tell my what is happening here?

Complete log file: https://drive.google.com/file/d/0B3RlRCEjz-cvZGQ5aldzaUc0blE/edit?usp=sharing

Thanks in advance,

Andi

Answer

Vladimír Schäfer picture Vladimír Schäfer · Jul 17, 2014

It seems that the Response message is signed using a different certificate than what is included in the IdP metadata. You should ask your IdP to tell you what certificates they use for their signatures and add them to their metadata file. Based on what you say it could also be that the metadata file is simply incomplete or corrupted.

The other option is to add the certificate they provide you to the samlKeystore.jks (and remember the alias). Then define the alias as signingKey on the ExtendedMetadata of your IdP's metadata definition in Spring configuration. You can find details on using the ExtendedMetadata in the Spring SAML manual.

The fact that the key is not included in the Response message is not wrong, Spring SAML knows which keys to use from the metadata and ExtendedMetadata configuration.