[ https://issues.apache.org/jira/browse/NIFI-11694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann updated NIFI-11694: ------------------------------------ Summary: SAML logout signature verification failed (was: SAML logout failed) > SAML logout signature verification failed > ----------------------------------------- > > Key: NIFI-11694 > URL: https://issues.apache.org/jira/browse/NIFI-11694 > Project: Apache NiFi > Issue Type: Bug > Affects Versions: 1.21.0 > Reporter: Beat Fuellemann > Assignee: David Handermann > Priority: Major > > We activated SAML Authentication with the following configuration: > {code:java} > nifi.security.user.saml.request.signing.enabled=false > nifi.security.user.saml.want.assertions.signed=true > nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > nifi.security.user.saml.authentication.expiration=1 hours > nifi.security.user.saml.single.logout.enabled=true > nifi.security.user.saml.http.client.truststore.strategy=JDK > nifi.security.user.saml.http.client.connect.timeout=30 secs > nifi.security.user.saml.http.client.read.timeout=30 secs{code} > Login works fine. > But during logout, it looks that NIFI signs the request, even if we > "request.signing.enabled=false". This causes the logout fail on the IdP. > it gives us the following error: > {code:java} > 2023-06-15 06:38:35,629 INFO [NiFi Web Server-78] > org.apache.nifi.web.api.AccessResource Logout Request > [7b8370e8-752f-484e-8caa-5a8ce3f29caf] Identity [TXXXXX] started > 2023-06-15 06:38:35,673 DEBUG [NiFi Web Server-78] > o.o.xmlsec.algorithm.AlgorithmRegistry Runtime support eval for algorithm URI > 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': supported > 2023-06-15 06:38:35,674 DEBUG [NiFi Web Server-78] > o.o.xmlsec.algorithm.AlgorithmRegistry Runtime support eval for algorithm URI > 'http://www.w3.org/2001/04/xmlenc#sha256': supported > 2023-06-15 06:38:35,676 DEBUG [NiFi Web Server-78] > o.o.x.i.BasicSignatureSigningParametersResolver Resolved > SignatureSigningParameters: > 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] > o.o.x.i.BasicSignatureSigningParametersResolver Signing credential with > key algorithm: RSA > 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] > o.o.x.i.BasicSignatureSigningParametersResolver Signature algorithm URI: > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] > o.o.x.i.BasicSignatureSigningParametersResolver Signature > KeyInfoGenerator: present > 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] > o.o.x.i.BasicSignatureSigningParametersResolver Reference digest method > algorithm URI: http://www.w3.org/2001/04/xmlenc#sha256 > 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] > o.o.x.i.BasicSignatureSigningParametersResolver Reference > canonicalization algorithm URI: null > 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] > o.o.x.i.BasicSignatureSigningParametersResolver Canonicalization > algorithm URI: http://www.w3.org/2001/10/xml-exc-c14n# > 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] > o.o.x.i.BasicSignatureSigningParametersResolver HMAC output length: null > 2023-06-15 06:38:35,678 DEBUG [NiFi Web Server-78] > o.opensaml.security.crypto.SigningUtil Computing signature over input using > private key of type RSA and JCA algorithm ID SHA256withRSA > 2023-06-15 06:38:35,691 DEBUG [NiFi Web Server-78] > o.opensaml.security.crypto.SigningUtil Computed signature: [3, e, 2, 0, d, 4, > 0, 7, d, 8, 2, 6, 9, 7, a, f, c, 1, 0, 8, b, 9, 5, f, d, 0, a, 3, 2, 9, b, 9, > 3, d, b, 5, 2, 4, 2, f, a, 9, 7, 1, 2, 3, d, 3, c, d, 9, 8, 1, 0, a, 5, 1, 8, > 8, 6, 3, 3, 8, a, a, 7, f, 1, 8, 9, c, a, 3, 5, 7, b, 2, e, c, 2, 5, 3, 7, 1, > 2, b, 2, 1, 4, 3, e, 6, f, 4, 8, 5, e, 1, d, 3, e, 1, a, 5, 1, a, f, 8, 2, f, > a, 3, 8, a, 3, 2, f, 0, 6, d, e, 8, 7, b, 9, f, d, 2, 8, b, d, f, 8, 2, 7, 9, > 3, 5, 1, d, c, 1, 2, e, 3, 4, 8, f, 3, 7, e, 6, 5, c, e, 3, 8, 3, 1, 2, a, 6, > 5, 6, 1, 2, 8, c, 8, 3, 8, 3, a, a, 9, 6, 2, a, 8, 3, 2, 9, 2, 5, 9, 2, b, e, > 6, d, 0, 0, e, 1, 8, 9, 2, 4, 0, 2, a, 5, c, b, 3, 1, b, 1, b, b, a, e, 0, f, > 6, e, 8, 0, b, c, 9, 0, 0, f, c, 1, 7, 5, c, 4, d, b, 5, c, 1, 0, f, b, 3, d, > 4, c, e, 5, 7, 4, 3, 8, f, b, 1, f, 1, d, a, a, 0, c, 8, e, d, b, 5, 0, 5, 9, > 7, a, c, 8, 7, 9, 4, 4, d, f, 1, 3, 2, 9, 6, 6, 2, 4, 1, e, c, 8, 3, 7, 3, 2, > 4, 9, a, 9, 4, 0, 3, c, 4, b, 2, f, 1, b, 9, b, 4, 3, 1, f, 6, d, 3, d, 4, 5, > 0, f, 7, 8, d, 1, c, 1, 8, f, 2, 4, 8, 3, 3, 9, e, 3, 4, b, 5, 0, 9, 9, 1, 0, > c, b, e, 3, 7, 9, 4, 4, d, 7, a, a, 4, 6, 6, 0, 1, b, c, 8, b, 4, c, 9, c, a, > b, 2, b, e, d, 4, 4, 4, 0, a, b, 9, 4, 4, 4, 4, 9, e, a, b, 4, b, 0, 1, 4, 0, > b, 7, 2, f, d, b, 8, a, a, 8, f, 8, e, 3, 8, 9, 0, c, 8, f, 3, 0, 6, 0, 9, 3, > d, 5, c, 3, 5, 6, a, 6, e, 1, d, 5, c, 5, a, 4, 9, 2, 3, c, d, 5, 6, 8, f, 1, > 3, f, c, 4, 5, 4, 4, 9, 5, 4, 1, 4, 7, f, d, 6, 1, d, 0, 6, 5, d, b, 5, 1, f, > 5, 2, 8, 2, 6, f, 2, 6, a, c, b, e, 1, 5, 6, 2, 8, 8, 5, 9, f, 6, b, d, c, 1, > 9, 8, f, 3, 6, 1, e, 0, 7, 6, b, f, 4, 4, 1, 9, c, a, 4, 9, 7, 7, 8, e, 2, 7, > 5, 4, 4, e, f, 4, 6, 7, 7, 6, 4, 7, b, b, f, 4, a, 8, c, d, 1, d, f, 1, 0, c, > a, 6, 8, 9, d, f, a, 9, 1, c, 9, c, 8, 9, 3, 0, a, a, 1, 3, 1, f, 9, 3, 9, 3, > 8, 8, b, 0, 0, 6, e, d, 1, 1, 5, c, 4, 8, 5, 7, d, 7, 1, 2, 1, 1, 3, 9, 5, d, > 9, 3, 2, d, 1, e, 4, 1, 1, 7, 3, 2, 1, d, f, 3, 7, 7, 8, 0, d, 7, a, 5, b, c, > c, 5, 7, d, 4, 1, f, c, 7, 6, 5, e, 2, f, c, 7, 0, c, 5, 6, c, d, 5, 3, b, d, > c, 0, e, 8, 4, 5, 5, a, 1, 1, 0, b, 9, c, f, a, 9, 3, f, f, 5, 8, 5, f, d, e, > 3, 7, 1, 4, d, a, 0, 9, b, 8, f, 9, 3, 7, 3, 7, f, 3, 5, 9, c, f, 8, c, 6, 0, > d, c, c, b, 8, 7, 7, a, e, e, 9, a, a, 7, 9, d, d, 9, b, 6, 6, f, e, 7, 3, e, > 8, b, 2, 0, 8, e, e, 3, d, 9, f, 8, 3, d, 5, 8, 5, 0, 9, 4, c, c, f, e, 0, f, > 8, b, 8, 0, 1, 5, 8, 9, 4, 6, 0, a, 1, a, 1, 0, 7, 4, 9, 0, b, e, 8, d, 4, f, > c, 4, f, 2, c, 4, b, c, 7, 9, 7, 2, 9, 3, 0, f, 3, 0, 8, 6, a, 3, 0, 4, 8, c, > 0, e, d, 9, 4, 5, 3, d, 4, b, a, 8, e, 8, f, 9, c, e, 5, 0, 7, 3, b, b, 6, 3, > f, 0, 2, 3, 5, 1, 3, 0, 3, d, 6, b, d, 4, d, c, d, d, c, 0, a, f, 0, 8, 8, e, > 0, 7, 7, f, 4, 3, 9, 8, c, 5, f, 9, a, d, 0, 9, 5, a, a, 9, 8, c, d, 9, a, a, > 2, 1, f, 9, 9, 1, 5, 4, c, 5, 6, 8, a, a, 2, 6, 1, 2, e, 6, 7, 3, d, e, 4, 5, > b, 2, 2, b, 5, f, f, f, 3, 2, 5, 7, 5, 0, f, 2, 9, 9, 7, a, 0, a, 7, e, c, b, > 7, 5, 7, 1, 0, 6, f, 6, 0, e, 5, 7, b, 1, 1, d, 9, 8, 8, 5, 7, b, 2, d, 7, c, > e, c, 2, 8, c, 0, 2, a, f, 0, a, a, 2, b, 4, d, 0, 1, e, 0, 3, 7, e, 7, 2, 8, > 3, 7, 4, 1, 7, 3, e, 2, 8, 6, d, d, 7, 0, 8, 9, 2, 9, 6, f, d, 6, f, 2, f, 4, > d, d, 6, f]{code} > > Is there another switch to disable logout request singning ? > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)