We are working through consuming an external service whereby we send a request to our service provider who returns the response complete with SAML 2.0 assertion for use in subsequent calls. The service provider also owns the IDP so the interaction between the SP and IDP is on their side.
We've overcome setting expected audience restrictions (http://cxf.547215.n5.nabble.com/Set-expected-audience-for-checkAudienceRestrictions-tp5800748.html), thanks for the assist. Now we are having challenges validating the signature for the SAML assertion. Using WSHandlerConstants to configure the WSS4JOutInterceptors and WSS4JInInterceptors in addition to putting configurations into the binding provider request context we are successful in receiving the response but get the following error when parsing: javax.xml.ws.soap.SOAPFaultException: The security token could not be authenticated or authorized Debugging suggests this is likely an issue with the publickey as the cause is in the Merlin class which is unable to find a direct trust in neither of the keystore nor the truststore. // Search the keystore for the transmitted public key (direct trust). If not found // then search the truststore for the transmitted public key (direct trust) // if (!findPublicKeyInKeyStore(publicKey, keystore, false) && !findPublicKeyInKeyStore(publicKey, truststore, true)) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION); } Log: 2020-01-27 13:07:15 - Searching keystore for public key Sun RSA public key, 2048 bits params: null modulus: [...] public exponent: [...] 2020-01-27 13:07:15 - No PublicKey match found in keystore 2020-01-27 13:07:15 - Searching truststore for public key Sun RSA public key, 2048 bits params: null modulus: [...] public exponent: [...] 2020-01-27 13:07:15 - No PublicKey match found in truststore We have the self-signed certificate provided to us by the SP in PEM format and is valid through 2025. We also were able to retrieve the certificate directly from the server in DER format. Side by side visual inspection using openssl shows them to be the same (though the DER also shows the certificate where the PEM does not). We swapped both formats in cacerts and truststore with the same result. Tomcat is able to access the cacerts as the certificate in question is printed out in the log along with all the others. The CXF logs indicate that the keystore and truststore are loading without issue. Inspecting the stores with keytool indicates all is well also. At this point we are unable to determine what is causing the validation of the signature to fail. Is there anything that you see we've missed or something else that would cause this issue? ----- Regards, RobCodes -- Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
