Re: Validate SAML token failed

Thu, 14 May 2020 04:13:04 -0700 

I imagine the problem is with the KeyValue, and not with the signature
algorithm. Why you say it can't process the SAML, what is the stacktrace
you are seeing?

Colm.

On Thu, May 14, 2020 at 12:05 PM Tóth Csaba <[email protected]> wrote:

> Hello!
> I have a system, what accept the request only with SAML token.
> Its worked until the last request.
> until now the SAML in the request:
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                      <ds:SignedInfo>
>                          <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                          <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>                          <ds:Reference URI=" ... ">
>                              <ds:Transforms>
>                                  <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                                  <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>                                      <ec:InclusiveNamespaces
> PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                                  </ds:Transform>
>                              </ds:Transforms>
>                              <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                              <ds:DigestValue> ... </ds:DigestValue>
>                          </ds:Reference>
>                      </ds:SignedInfo>
>                      <ds:SignatureValue> ... </ds:SignatureValue>
>                      <ds:KeyInfo>
>                          <ds:X509Data> ...
> but the last request contain different structure:
>                  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
>                      <SignedInfo>
>                          <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                          <SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>                          <Reference URI=" ... ">
>                              <Transforms>
>                                  <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                                  <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                              </Transforms>
>                              <DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>                              <DigestValue> ... </DigestValue>
>                          </Reference>
>                      </SignedInfo>
>                      <SignatureValue> .... </SignatureValue>
>                      <KeyInfo>
>                          <KeyName> ... </KeyName>
>                          <KeyValue>
>                              <RSAKeyValue>
>                                  <Modulus>
> ...
> </Modulus>
>                                  <Exponent>
> ...
> </Exponent>
>                              </RSAKeyValue>
>                          </KeyValue>
>                          <X509Data>
> I noticed two difference between the two request:
> 1 - one signed with rsa-sha1 the second with rsa-sha256
> 2 - the second contain <KeyName> and <keyvalue>
> At the validation proccess, inside the
>
> org.apache.cxf.ws.security.trust.STSSamlAssertionValidator.verifySignedAssertion:
> the  SamlAssertionWrapper assertion has SAMLKeyInfo
> (assertion.getSignatureKeyInfo() ) but the inside SAMLKeyInfo the
> X509Certificate array is null
> (not empty, simple null). I looking for the solution: why cant process
> the SAML?
>
> Thanx
> Csaba
>

Reply via email to