Hi, Prabath Siriwardena mentioned in his book "Advanced API" that a STSClient can get a SAML token from the first STS1 and uses it to authenticate to the second one (STS2) to get a new SAML token from STS2.
So I try to implement this scenario as follows: 1. The STSClient authenticates to STS1 with a Username token and gets a SAML assertion in response: OK2. Now I secure STS2 with "Transport Binding" and "Supporting Token". Since WSO2 does not have this policy. I register a custom policy for STS2 (as in [1]).3. I implement a ServiceClient with the STS2 policy above and set the SAML assertion (received from step 1) as the "KEY_CUSTOM_ISSUED_TOKEN". All Rampart configurations also use the default keystore "wso2carbon". However, the STS2 logs a NullpointerException when wso2-wss4j [2] tries to fetch the X.509 credential (in the KeyInfo of the SAML) to validate the signature: TID: [-1234] [] [2018-10-20 21:28:45,414] DEBUG {org.apache.xml.security.utils.ElementProxy} - setElement("ds:Signature", "") TID: [-1234] [] [2018-10-20 21:28:45,417] DEBUG {org.apache.xml.security.utils.ElementProxy} - setElement("ds:SignedInfo", "") TID: [-1234] [] [2018-10-20 21:28:45,417] DEBUG {org.apache.xml.security.utils.ElementProxy} - setElement("ds:SignatureMethod", "") TID: [-1234] [] [2018-10-20 21:28:45,417] DEBUG {org.apache.xml.security.algorithms.SignatureAlgorithm} - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1" TID: [-1234] [] [2018-10-20 21:28:45,418] DEBUG {org.apache.xml.security.algorithms.JCEMapper} - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1 TID: [-1234] [] [2018-10-20 21:28:45,418] DEBUG {org.apache.xml.security.algorithms.implementations.SignatureBaseRSA} - Created SignatureRSA using SHA1withRSA TID: [-1234] [] [2018-10-20 21:28:45,420] DEBUG {org.apache.xml.security.utils.ElementProxy} - setElement("ds:KeyInfo", "") TID: [-1234] [] [2018-10-20 21:28:45,432] DEBUG {org.apache.ws.security.processor.SAML2TokenProcessor} - SAML2 Token was validated successfully. TID: [-1234] [] [2018-10-20 21:28:45,437] ERROR {org.apache.axis2.transport.http.AxisServlet} - java.lang.NullPointerException at org.apache.ws.security.saml.SAML2Util.validateSignature(SAML2Util.java:437) at org.apache.ws.security.processor.SAML2TokenProcessor.handleToken(SAML2TokenProcessor.java:66) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) and a ClassNotFoundException for JuiCEProviderOpenSSL: TID: [-1234] [] [2018-10-20 21:28:45,243] DEBUG {org.apache.ws.security.util.Loader} - org.apache.security.juice.provider.JuiCEProviderOpenSSL java.lang.ClassNotFoundException: org.apache.security.juice.provider.JuiCEProviderOpenSSL at java.net.URLClassLoader.findClass(URLClassLoader.java:381) I am stuck here for several days without further process. Is my approach correct or I misunderstand the concept? Please give me some hints.I test on WSO2 Identity Provider: 5.6.0 [1] https://sourceforge.net/p/charithablogsam/code/ci/master/tree/resources/policies/axis2service.policy.xml[2] https://github.com/wso2/wso2-wss4j/blob/release-1.5.11-wso2v17/modules/wss4j/src/org/apache/ws/security/saml/SAML2Util.java#L437 Best,Joni
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev