Maybe this could help identify possible problems with Service Provider? http://saml.oktadev.com/
Most frequent issue I see in SAML integrations is missing valid certificate while decoding (metadata) signature. I guess this is not your problem so take it just as note. ;) ZH On Mon, Mar 13, 2023 at 7:12 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Zdeněk, > > On 3/13/23 12:57, Zdeněk Henek wrote: > > I have implemented SAML 2.0 Service Provider using > > https://github.com/spring-attic/spring-security-saml It is not > developed > > anymore, but ... > > > > I don't have my dev env available till Sunday, if you would like I could > > use your Okta configuration next week to connect to my service provider > to > > see how it works. > > > > Do you use directly the Shibboleth SP library or any other library to > > implement Service Provider? > > I use the Jaa XML dsig APIs directly. There is no supporting library > such as sprint-security-saml, Shibboleth, OpenSAML, etc. > > > Does your service provider work fine if you use another Identity Provider > > e.g. MS ADFS server? > > Yes. Our code works with other SAML implementations including MS > AD-SAML, VMWare Identity Manager, PingFed, and a few things where I'm > not sure what the partner is actually using. > > So we know the code we have is /mostly/ applicable. I'm having trouble > tarcking-down why this particular provider's SAML responses are failing > to validate. > > Thanks, > -chris > > > On Mon, Mar 13, 2023 at 3:27 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> All, > >> > >> I'm having a bit of trouble validating a SAML response which has been > >> signed by Okta (who know a thing or two about signed XML), and the code > >> I'm using was written by me using the basic Java XML security APIs, so > >> I'm thinking there is something off with what I'm doing. > >> > >> If anyone has some experience with XMLDSIG in Java, I'd be grateful for > >> any help you might be able to provide. > >> > >> Okta is providing two signatures: one for the assertions and one for the > >> overall SAML response (i.e. the whole XML document). The signatures > >> appear to be correct, but "core validation" is failing because of the > >> <Reference> in the signature. > >> > >> I've been single-stepping through the process with a debugger and it > >> looks like something is going wrong with the XML canonicalization, but > >> I'm in a little over me head. > >> > >> Any help would be appreciated. > >> > >> -chris > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >