Hi Achini,
If you are trying this flow just for testing purpose, a quick solution is
to turn off signature validation in SAML response and assertion using
following two properties in the SAML2SSOAuthenticator configuration in
authenticators.xml file.
<Parameter
name="ResponseSignatureValidationEnabled">false</Parameter>
<Parameter
name="AssertionSignatureValidationEnabled">false</Parameter>
By default above are commented out.
If you need to enable the response and assertion signature validation and
get it to working, then set the above two properties to true and add the
following property as well.
<Parameter name="IdPCertAlias">wso2carbon</Parameter>
Here you need to give the certificate alias of the public certificate of
the signing entity, which should be IS itself in this case. (If it is a
different entity, then we need to import the certificate to the
wso2carbon.jks with some alias and provide that alias in above property.
Thanks,
TharinduE
On Thu, Aug 2, 2018 at 7:25 AM Achini Jayasena <[email protected]> wrote:
> Hi All,
>
> Signature validation failed, occurred in following scenario.
>
> *Scenario:* IAM it self enable multi factor authentication (scenario 05)
> and sp creation from metadata url configurations.
>
> *Test steps:*
> Step 01: Create user
> Step 02: Create IDP (twitter)
> Step 03: Create SP for carbon server from metadata file url configurations
> (please find the metadata file attached here with)
> Step 04: Update Sp for enable MFA
>
> <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
> xmlns:xsd="http://org.apache.axis2/xsd";
> xmlns:xsd1="http://model.common.application.identity.carbon.wso2.org/xsd";>
> <soapenv:Header />
> <soapenv:Body>
> <xsd:updateApplication>
> <!--Optional:-->
> <xsd:serviceProvider>
> <!--Optional:-->
> <xsd1:applicationID>${appID}</xsd1:applicationID>
> <xsd1:applicationName>${spname}</xsd1:applicationName>
> <xsd1:description>${spdescription}</xsd1:description>
> <xsd1:inboundAuthenticationConfig>
> <xsd1:inboundAuthenticationRequestConfigs>
> <xsd1:inboundAuthKey>${carbonServer}</xsd1:inboundAuthKey>
> <xsd1:inboundAuthType>samlsso</xsd1:inboundAuthType>
> <xsd1:inboundConfigType>standardAPP</xsd1:inboundConfigType>
> <xsd1:properties>
> <xsd1:confidential>false</xsd1:confidential>
> <xsd1:defaultValue xsd:nil="true" />
> <xsd1:description xsd:nil="true" />
> <xsd1:displayName xsd:nil="true" />
> <xsd1:displayOrder>0</xsd1:displayOrder>
> <xsd1:name>attrConsumServiceIndex</xsd1:name>
> <xsd1:required>false</xsd1:required>
> <xsd1:type xsd:nil="true" />
> <xsd1:value>${serviceIndex}</xsd1:value>
> </xsd1:properties>
> </xsd1:inboundAuthenticationRequestConfigs>
> <xsd1:inboundAuthenticationRequestConfigs>
> <xsd1:friendlyName xsd:nil="true" />
> <xsd1:inboundAuthKey>${carbonServer}</xsd1:inboundAuthKey>
> <xsd1:inboundAuthType>openid</xsd1:inboundAuthType>
> <xsd1:inboundConfigType>standardAPP</xsd1:inboundConfigType>
> </xsd1:inboundAuthenticationRequestConfigs>
> <xsd1:inboundAuthenticationRequestConfigs>
> <xsd1:friendlyName xsd:nil="true" />
> <xsd1:inboundAuthKey>${carbonServer}</xsd1:inboundAuthKey>
> <xsd1:inboundAuthType>passivests</xsd1:inboundAuthType>
> <xsd1:inboundConfigType>standardAPP</xsd1:inboundConfigType>
> </xsd1:inboundAuthenticationRequestConfigs>
> </xsd1:inboundAuthenticationConfig>
> <xsd1:inboundProvisioningConfig>
> <xsd1:provisioningEnabled>false</xsd1:provisioningEnabled>
> <xsd1:provisioningUserStore />
> </xsd1:inboundProvisioningConfig>
> /** Configure Multi Steps */
> <xsd1:localAndOutBoundAuthenticationConfig>
> <!--Optional:-->
>
> <xsd1:alwaysSendBackAuthenticatedListOfIdPs>false</xsd1:alwaysSendBackAuthenticatedListOfIdPs>
> <!--Zero or more repetitions:-->
> <xsd1:authenticationSteps>
> <!--Optional:-->
> <xsd1:attributeStep>true</xsd1:attributeStep>
> <xsd1:subjectStep>true</xsd1:subjectStep>
> <!--Zero or more repetitions:-->
> <!--Zero or more repetitions:-->
> <xsd1:localAuthenticatorConfigs>
> <!--Optional:-->
> <xsd1:displayName>basic</xsd1:displayName>
> <!--Optional:-->
> <xsd1:enabled>false</xsd1:enabled>
> <!--Optional:-->
> <xsd1:name>BasicAuthenticator</xsd1:name>
> <!--Zero or more repetitions:-->
> <!--Optional:-->
> <xsd1:valid>true</xsd1:valid>
> </xsd1:localAuthenticatorConfigs>
> <!--Optional:-->
> <xsd1:stepOrder>1</xsd1:stepOrder>
> <!--Optional:-->
> </xsd1:authenticationSteps>
> <xsd1:authenticationSteps>
> <!--Optional:-->
> <xsd1:attributeStep>false</xsd1:attributeStep>
> <xsd1:subjectStep>false</xsd1:subjectStep>
> <!--Zero or more repetitions:-->
> <xsd1:federatedIdentityProviders>
> <xsd1:defaultAuthenticatorConfig>
> <xsd1:alais />
> <xsd1:certificate />
> <xsd1:claimConfig />
> <xsd1:displayName>${idpname}</xsd1:displayName>
> <xsd1:enabled>false</xsd1:enabled>
> <xsd1:name>TwitterAuthenticator</xsd1:name>
> <xsd1:valid>true</xsd1:valid>
> </xsd1:defaultAuthenticatorConfig>
> <!--Zero or more repetitions:-->
> <xsd1:federatedAuthenticatorConfigs>
> <xsd1:displayName>${idpname}</xsd1:displayName>
> <xsd1:enabled>false</xsd1:enabled>
> <xsd1:name>TwitterAuthenticator</xsd1:name>
> <xsd1:valid>true</xsd1:valid>
> </xsd1:federatedAuthenticatorConfigs>
> <!--Optional:-->
>
> <xsd1:identityProviderName>${idpname}</xsd1:identityProviderName>
> <xsd1:enable>false</xsd1:enable>
> <xsd1:primary>false</xsd1:primary>
> <xsd1:federationHub>false</xsd1:federationHub>
> </xsd1:federatedIdentityProviders>
> <!--Optional:-->
> <xsd1:stepOrder>2</xsd1:stepOrder>
> <!--Optional:-->
> </xsd1:authenticationSteps>
> <!--Optional:-->
> <xsd1:authenticationType>flow</xsd1:authenticationType>
> <xsd1:subjectClaimUri>id</xsd1:subjectClaimUri>
> </xsd1:localAndOutBoundAuthenticationConfig>
> <xsd1:outboundProvisioningConfig>
> <xsd1:provisionByRoleList xsd:nil="true" />
> </xsd1:outboundProvisioningConfig>
> <xsd1:permissionAndRoleConfig>
> <xsd1:idpRoles />
> </xsd1:permissionAndRoleConfig>
> <xsd1:saasApp>false</xsd1:saasApp>
> </xsd:serviceProvider>
> </xsd:updateApplication>
> </soapenv:Body></soapenv:Envelope>
>
> Step 04: Change <isHome>/repository/conf/security/authenticators.xml
> file, following tags as below.
> <Authenticator name="SAML2SSOAuthenticator" disabled="false">
> <Priority>1</Priority>
> Step 05:Restart the carbon server
> Step 06: Do basic authenticate
> Step 07: Do twitter authenticate
>
> *Expected result:*
> Navigate to the IS home
>
> *Actual result:*
>
> Error log:
>
> [2018-08-02 06:35:45,738] WARN
> {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler}
> - Subject claim could not be found amongst service provider mapped
> unfiltered local claims
> [2018-08-02 06:35:45,739] WARN
> {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
> - Subject claim could not be found. Defaulting to Name Identifier.
> [2018-08-02 06:35:49,612] ERROR
> {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} -
> SAML Response is not signed or response not available. Authentication
> process will be terminated.
> [2018-08-02 06:35:49,613] ERROR
> {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} -
> Authentication Request is rejected. Signature validation failed.
> [2018-08-02 06:35:49,615] WARN
> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed
> Administrator login attempt 'admin[-1234]' at [2018-08-02 06:35:49,615+0530]
> [2018-08-02 06:35:49,637] ERROR
> {org.wso2.carbon.identity.authenticator.saml2.sso.ui.authenticator.SAML2SSOUIAuthenticator}
> - Authentication failed.
>
>
>
>
>
>
> It seems like the certificate is not valid. Please find the certificate
> .jks file attached here with which available in the
> <ishome>/repository/resources/sceurity.
>
> Anyone have an idea what would be the reason for the issue.
>
>
> *Thanks & Best Regards!*
>
> *Achini Jayasena*
> *Software Engineer - QA | WSO2*
>
> Email: [email protected]
> Mobile: +943 882 897
>
> [image: http://wso2.com/signature] <http://wso2.com/signature>
>
--
Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
