Loading…
Tilbage
×

Info

Der findes en nyere version af resourcen her

oiosaml.java 11442

10-02-2014 10:55:25
Version: 11442

The following have been included in this release:

* Fixed issue regarding making a POST request without being logged in. After having logged in it was not possible to reproduce the POST request because the form values was gone. This fix ensures that the form values does not disappear from the original request that was stored in session.

* Disabled the resolvement of external entities when parsing XML in order to prevent XML External Entity (XXE) attacks.

Filer og referencer

Titel Type
oiosaml.java-11442.zip application/octet-stream
Profilbillede

Next oiosaml.java release?

Toby Stuart
17. februar 2015, 5:00

Hello

Will there be another release of the OIOSAML for Java?  There does not appear to have been a release since February 2014.  Is the project dead?  If not, is there a roadmap?

Thanks

Profilbillede

Unable to Validate SAML message!

Morten Binderup-Ernstsen
28. januar 2015, 10:51

Hi,

Now and again we are having some issues with the SAMLAssertionConsumer servlet. As expected one gets redirected to the idP when accessing our application, but sometimes the following error view is shown by the SAMLAssertionConsumer servlet, after succesfully authenticating at the idP:

SAMLAssertionConsumer

Looking in the oiosaml-sp-audit.log two different exceptions are thrown, which give rise to the above error:

Dispatch:SAMLAssertionConsumer

'The response is not signed correctly'

dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly

        at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:108)

        at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:133)

        at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:94)

        at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:212)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at dk.itst.oiosaml.sp.service.SPFilter.doFilter(SPFilter.java:172)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Unknown Source)

[2015-01-20 14:27:16,074] [INFO ] [ajp-bio-8009-exec-7] [OIOSAML_AUDIT_LOGGER] Session created at: 1421760323452, timeout after 1800 seconds

[2015-01-20 14:27:16,074] [INFO ] [ajp-bio-8009-exec-7] [OIOSAML_AUDIT_LOGGER] Session created at: 1421760323452, timeout after 1800 seconds

[2015-01-20 14:27:16,082] [ERROR] [ajp-bio-8009-exec-7] [OIOSAML_AUDIT_LOGGER] Dispatch:SAMLAssertionConsumer

java.lang.IllegalArgumentException:  Parameter 'SAMLart' is null...

        at dk.itst.oiosaml.sp.service.util.ArtifactExtractor.extract(ArtifactExtractor.java:78)

        at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleGet(SAMLAssertionConsumerHandler.java:110)

        at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:182)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at dk.itst.oiosaml.sp.service.SPFilter.doFilter(SPFilter.java:172)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Unknown Source)

----------------------------- AND -----------------------------

'Request id _[REMOVED] is unknown'

java.lang.IllegalArgumentException: Request id _[REMOVED] is unknown

        at dk.itst.oiosaml.sp.service.session.SingleVMSessionHandler.removeEntityIdForRequest(SingleVMSessionHandler.java:144)

        at dk.itst.oiosaml.sp.model.OIOResponse.getOriginatingIdpEntityId(OIOResponse.java:81)

        at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:127)

        at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:94)

        at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:212)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at dk.itst.oiosaml.sp.service.SPFilter.doFilter(SPFilter.java:172)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Unknown Source)

Btw. users identify themselves via NemLogin (through Wayf).

The only thing we have notices, is that the request cycle seems to pause unusually long when the SAMLAssertion is received/processed by the SAMLAssertionConsumer. 

Any suggestions? 

ændret af Morten Binderup-Ernstsen (28.01.2015)
Profilbillede

Morten Binderup-Ernstsen
24. februar 2015, 13:40

This bug has also been described in another post: http://digitaliser.dk/forum/2817171.

ændret af Morten Binderup-Ernstsen (24.02.2015)
Profilbillede

oiosaml-11442 + Tomcat 7 + ELB over SSL

Olesya Bolobova
23. januar 2015, 18:36

Hi,

we're having problems with oiosaml-11442 + Tomcat 7 + ELB over SSL.

We have the following workflow:

1) https://gii-21-90.genhtcc.com/InfoViewApp/  (initial url)

2) https://hub-idp-shared-elb.genhtcc.com/idp/Authn/UserPassword (redirect to IdP)

3) IdP login success

4) https://hub-idp-shared-elb.genhtcc.com/idp/profile/SAML2/Redirect/SSO (internal IdP redirects)

5) POST https://gii-21-90.genhtcc.com/InfoViewApp/saml/SAMLAssertionConsumer (response from IdP to client, everything ok)

6) redirect to http://gii-21-90.genhtcc.com/InfoViewApp/logon.jsp

I believe, OIOSAML is misconfigured somehow.

Could you help, please?

Thank you so much.

HTTP Headers included

Profilbillede

Required AttributeStatement in saml response

Jason Winshell
05. december 2014, 1:34

For SSO SAML response messages, oiosaml.java is enforcing a requirement that the assertion contain exactly one AttributeStatement. I think this requirement tracks against the OIO Web SSO Profile V2.0.6 (section 7.1.1):

7.1.1 Main Assertion Element

The assertion must contain exactly one <AuthnStatement> and exactly one <AttributeStatement> element. All other statements are disallowed since they are outside the scope of the profile.

The saml-profiles-2.0-os specification (section 4.1.4.2) indicates that for SSO profile that an AttributeStatement is optional:

Other statements and confirmation methods MAY be included in the assertion(s) at the discretion of the identity provider. In particular,<AttributeStatement>elements MAY be included. The<AuthnRequest>MAY contain anAttributeConsumingServiceIndexXML attribute referencing information about desired or required attributes in [SAMLMeta]. The identity provider MAY ignore this, or send other attributes at its discretion.

I have encountered cases in which an IdP will pass the identity of the authenticated user entirely in the Subject NameID element rather than pass it with in an attribute. In such cases, the IdP does not include an AttributeStatement. This causes oiosaml.java, OIOSAMLAssertionValidator to throw an error: ""The assertion must contain exactly one AttributeStatement".

I would like to accommodate IdPs that pass the user id in the NameID without the use of attributes. Is there some setting/option that I can enable that will tell oiosaml.java to allow response assertion to omit an AttributeStatement.

Thanks

Jason

// There must be exactly one AttributeStatement within the assertion
        if (a.getAttributeStatements().size() != 1) {  
            throw new ValidationException("The assertion must contain exactly one AttributeStatement. Contains " + a.getAttributeStatements().size());
        }

Profilbillede

Jason Winshell
08. december 2014, 0:10

The problem described with fewer words :-)

 * * *

The OIO Web SSO Profile V2.0 specification (section 7.1.1) says that an AttributeStatement is optional. Whereas the OIOSAML Profile 2.0 specification says that exactly one Attribute statement is required. OIOSAML.java OIOSAMLAssertionValidator encode this requirement.

The requirement has been causing nuisance problems with various IdPs I've had to integrate with. For SSO authentication scenarios in which only piece of information that is needed is the user, the IdP is passing it in the Subject/NameID of the response. It's convenient and makes sense. Forcing the IdP to pass it, redundantly, in an attribute just to meet OIOSAML's "exactly one AttributeStatement" requirement is a nuisance to the IdP operators - it also makes no sense in consideration of the OIO Web SSO Profile V2.0 specification.

Why should an AttributeStatement be required when there is no need to pass an attribute when the one piece of information that is needed - the user id - can be passed in the Subject / NameID. Can't OIOSAML.java have an option to omit the AttributeStatement requirement? I'm inclined to fork the code and comment out the check in the OIOSAMLAssertionValidator.

Thoughts?

Profilbillede

OIOSAML.java Encrpting the Keystore Password in oiosaml-sp.properties file

suraj lal
25. november 2014, 18:53

Hi  OIOSAML.Java Team,

I need a confirmation on property used in oiosaml-sp.properties  file.

When  we do SAML configuration and genrate Keystore ,then the Keystore Password is stored in oiosaml-sp.properties file as oiosaml-sp.certificate.password property with Plain text format.

But in the same oiosaml-sp.properties file it comments that we can use a Opaque password or Encrypted Password as below

# Opaque/encrypted password to the certificate used for signing SAML documents


Can any one please share whether its really configurable to use Encrypted Keystore Password in the oiosaml-sp.properties file. 

If its configurable please provide the sample configurations changes or Link where we can get the pointers.

Thanks in Advance

Profilbillede

Problem getting oiosaml.java-demo-11442.war to work

nitin gupta
17. februar 2014, 17:22

I have downloaded and installed the oiosaml.java-demo-11442.war in a Jetty Server.

I have setup salesforce.com as IDP and have downloaded the metadata for this IDP. I have successfuly added this metadata to the oiosaml-demo SP configuration files.

When I try to login a user using the login link in the oiosaml-demo application, I am redirected to my salesforce IDP and I am able to successfuly authenticate in salesforce. I can see the IDP logs in salesforce and can verify that salesforce authenticated the user.

After authentication, I am redirected to my oiosaml-demo SP's AssertionConsumer URL and I get the following error message:

 ---------------------------

The request failed. The reason is:

The response is not signed correctly

I am using a self-signed certificate at the IDP. Could that be the reason for this failure?

Here is the error log trace:

014-02-16 09:31:02,892 [DEBUG] dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler - Calling URL.:/oiosaml.java-demo-11442/saml/SAMLAssertionConsumer?null
2014-02-16 09:31:02,892 [DEBUG] dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler - SessionId..:1wbhx0c43sldi3qijpwutcu0i
2014-02-16 09:31:02,892 [DEBUG] dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler - Got relayState..:RelayState: _6ae926c2-2d06-4afa-88c2-ce645cf586a0
2014-02-16 09:31:02,892 [DEBUG] dk.itst.oiosaml.sp.service.session.SingleVMSessionHandler - Removing id _a68e7ca6-59c4-4af5-8d6c-2c16b8c548fb
2014-02-16 09:31:02,893 [DEBUG] dk.itst.oiosaml.sp.service.session.SingleVMSessionHandler - Entity for request _a68e7ca6-59c4-4af5-8d6c-2c16b8c548fb: https://cws-dev-ed.my.salesforce.com
2014-02-16 09:31:02,894 [DEBUG] dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler - Received SAML Response from https://cws-dev-ed.my.salesforce.com: <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://1352.servehttp.com:8080/oiosaml.java-demo-11442/saml/SAMLAssertionConsumer" ID="_4176c16538715eba1f553ef59f32588e1392564657080" InResponseTo="_a68e7ca6-59c4-4af5-8d6c-2c16b8c548fb" IssueInstant="2014-02-16T15:30:57.080Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://cws-dev-ed.my.salesforce.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_4176c16538715eba1f553ef59f32588e1392564657080">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp xs xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>qWXmS6HsyN8kULA3mpPW5xPt7qc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
BLfVm+CIyDiyNPj1QlBmF3fRbBBar3tUUxoJ1ufkfJwb0N0PW7RPyFhVb26KJA/C3wpwa79Z68EQ
LMzSlwVHipAl7Zy+ahp1TuOcL4TZqVDMqzqCR2qcN7F0zvCqrFHJiYUx+xeyZwcN6BW/bml0xq4w
5X0gm48yikpJw284thSXLiZ65rexnFoazUJhfxm6iZ7LT1FJ49SWv0gpH1/o+GLpi49fbdFbSQBt
hoXQPEkraTSIVEW8G5PvTe+UIpVeOGfqXyN1rDlCIFN+lq66kTq/i3i7grhrJeCNyqdZ1mR4ZGJR
jectrZxteJfcKGIJls5mfL6oxkIYLW4BXAAz1Q==
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEcjCCA1qgAwIBAgIOAUQvtBVXAAAAAGxBmRUwDQYJKoZIhvcNAQEFBQAwfjEWMBQGA1UEAwwN
c2Zfc2VsZnNpZ25lZDEYMBYGA1UECwwPMDBEaTAwMDAwMDBaR24yMRcwFQYDVQQKDA5TYWxlc2Zv
cmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VT
QTAeFw0xNDAyMTQwOTIyMTVaFw0xNjAyMTQwOTIyMTRaMH4xFjAUBgNVBAMMDXNmX3NlbGZzaWdu
ZWQxGDAWBgNVBAsMDzAwRGkwMDAwMDAwWkduMjEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAU
BgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCy2Qw3BINOdVmKHOww1juFasLYIfGZ4dhxJeZZ/XGY6S1
4jTJ2n4mnIPY0zuFxKXN5VOkn9si3CHFkS1r1zmNsZm0NT5WQUPIhTR4jlK1hYYOfaU0E8+L1QIy
pFQU4+vPYj2gFnHRRRHcHAPZX02x3LvQK8H5qeAQudtYR6JrfY2zysLAuCTabxWHs+ZeqdHi5zY0
sORuOnjQdp1nHYzj91XasVGdcsIdEhsMqHqVhXSqyM/tH9LBAg+J2MwUiNOcMdy3YTLqkfC3JoOG
SdQ97f9CZO3ZROqrwidyKMYxhwv6KvaWXk4b8N55AggjX12b53UAdjxc8NYe9t+Lj0llAgMBAAGj
ge0wgeowHQYDVR0OBBYEFOAoj/7wVxsbiHEyG14zheY8CDljMIG3BgNVHSMEga8wgayAFOAoj/7w
VxsbiHEyG14zheY8CDljoYGDpIGAMH4xFjAUBgNVBAMMDXNmX3NlbGZzaWduZWQxGDAWBgNVBAsM
DzAwRGkwMDAwMDAwWkduMjEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBG
cmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFEL7QVbwAAAABsQZkVMA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAF+y03sPVsdcaauVZBNTCfD/X2UeAFeyd4MI
PmVge2rPAyMzNMhCBejMZLPVnB9G3redn+IgGGichr7CqLceO8w/FjB1hi+NprbzVJqgTioC+qJd
U9ulFcyCbxAl34ba4dccsK7AcEucL73Q9fkOAGJgvBjle5fy4KXfVbDzGQ6nXORFoYg5gT9RqdYr
IkfUjw2ZOr2tQtBE09SyTQo6zgPkAmsHlS6Xd+iRXGTEv0lJdk46nvkCNvAGTIQ2/k11X+7iJg3H
VxKBxCfr1VC5O/fgzG+nYRNMPZ3SQt3Y84lzm/VALxQ2PyAfAxbLKnLpWk71XMDe2ck2YyyShXVQ
KDk=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0efa0219a03cdd3174f441c5d202ec961392564657080" IssueInstant="2014-02-16T15:30:57.080Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cws-dev-ed.my.salesforce.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_0efa0219a03cdd3174f441c5d202ec961392564657080">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>4T41gI9JFyEVTJXFrmcVlREBmeg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
J9BHNMBZ+h5tV76HtmtlFEqzuTwYIFM0GDC995VYekheU1CuLSK+yJook7BDnxaqZh5bfw7OwgIJ
0/pKPW4F/C1CJm16T99DY7cWIS8fC869MIYbhvTxjvNNlikgVhtnsMikWhnyJw/PV8yOXYtNAAp7
JkBHl8iWQw+NE2BHao0fXNL9SY2E+tebZmJw3osUnwPe5Y58GxklLnW8oKLySfaQ9OdviEjc8VZn
VN2bS9TReDrj/AJinXaCdqJq9ynyLbNuxAO/iY06j60ql34OBG/B/Tf2GMwZEX85gDD6ivh6rK4y
E29E85Y7klWgIMF/543Tbrqtl/NNL/KSMTlLog==
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEcjCCA1qgAwIBAgIOAUQvtBVXAAAAAGxBmRUwDQYJKoZIhvcNAQEFBQAwfjEWMBQGA1UEAwwN
c2Zfc2VsZnNpZ25lZDEYMBYGA1UECwwPMDBEaTAwMDAwMDBaR24yMRcwFQYDVQQKDA5TYWxlc2Zv
cmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VT
QTAeFw0xNDAyMTQwOTIyMTVaFw0xNjAyMTQwOTIyMTRaMH4xFjAUBgNVBAMMDXNmX3NlbGZzaWdu
ZWQxGDAWBgNVBAsMDzAwRGkwMDAwMDAwWkduMjEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAU
BgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCy2Qw3BINOdVmKHOww1juFasLYIfGZ4dhxJeZZ/XGY6S1
4jTJ2n4mnIPY0zuFxKXN5VOkn9si3CHFkS1r1zmNsZm0NT5WQUPIhTR4jlK1hYYOfaU0E8+L1QIy
pFQU4+vPYj2gFnHRRRHcHAPZX02x3LvQK8H5qeAQudtYR6JrfY2zysLAuCTabxWHs+ZeqdHi5zY0
sORuOnjQdp1nHYzj91XasVGdcsIdEhsMqHqVhXSqyM/tH9LBAg+J2MwUiNOcMdy3YTLqkfC3JoOG
SdQ97f9CZO3ZROqrwidyKMYxhwv6KvaWXk4b8N55AggjX12b53UAdjxc8NYe9t+Lj0llAgMBAAGj
ge0wgeowHQYDVR0OBBYEFOAoj/7wVxsbiHEyG14zheY8CDljMIG3BgNVHSMEga8wgayAFOAoj/7w
VxsbiHEyG14zheY8CDljoYGDpIGAMH4xFjAUBgNVBAMMDXNmX3NlbGZzaWduZWQxGDAWBgNVBAsM
DzAwRGkwMDAwMDAwWkduMjEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBG
cmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFEL7QVbwAAAABsQZkVMA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAF+y03sPVsdcaauVZBNTCfD/X2UeAFeyd4MI
PmVge2rPAyMzNMhCBejMZLPVnB9G3redn+IgGGichr7CqLceO8w/FjB1hi+NprbzVJqgTioC+qJd
U9ulFcyCbxAl34ba4dccsK7AcEucL73Q9fkOAGJgvBjle5fy4KXfVbDzGQ6nXORFoYg5gT9RqdYr
IkfUjw2ZOr2tQtBE09SyTQo6zgPkAmsHlS6Xd+iRXGTEv0lJdk46nvkCNvAGTIQ2/k11X+7iJg3H
VxKBxCfr1VC5O/fgzG+nYRNMPZ3SQt3Y84lzm/VALxQ2PyAfAxbLKnLpWk71XMDe2ck2YyyShXVQ
KDk=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">mamtaaz@gmail.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_a68e7ca6-59c4-4af5-8d6c-2c16b8c548fb" NotOnOrAfter="2014-02-16T15:35:57.080Z" Recipient="http://1352.servehttp.com:8080/oiosaml.java-demo-11442/saml/SAMLAssertionConsumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-02-16T15:30:57.080Z" NotOnOrAfter="2014-02-16T15:35:57.080Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AudienceRestriction><saml:Audience>http://saml.1352.servehttp.com</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-02-16T15:30:57.080Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">005i0000002dK8p</saml:AttributeValue></saml:Attribute><saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">mamtaaz@gmail.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">mamtaaz@gmail.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="is_portal_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">false</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
2014-02-16 09:31:02,895 [ERROR] OIOSAML_AUDIT_LOGGER - Dispatch:SAMLAssertionConsumer <-- 99.99.188.183 1wbhx0c43sldi3qijpwutcu0i '' '' 'The response is not signed correctly'
dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly
at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:108)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:133)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:94)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:696)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1568)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:568)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1110)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:453)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1044)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:459)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:280)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)
at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
at java.lang.Thread.run(Thread.java:744)
2014-02-16 09:31:02,895 [ERROR] dk.itst.oiosaml.sp.service.DispatcherServlet - Unable to validate Response
dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly
at dk.itst.oiosaml.sp.model.OIOResponse.validateResponse(OIOResponse.java:108)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleSAMLResponse(SAMLAssertionConsumerHandler.java:133)
at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handlePost(SAMLAssertionConsumerHandler.java:94)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doPost(DispatcherServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:696)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1568)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:568)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1110)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:453)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1044)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:459)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:280)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)
at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
at java.lang.Thread.run(Thread.java:744)
2014-02-16 09:40:50,337 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - Running CRL checker task
2014-02-16 09:40:50,337 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - No OCSP configured for https://cws-dev-ed.my.salesforce.com attempting to extract OCSP location from certificate C=USA, ST=CA, L=San Francisco, O=Salesforce.com, OU=00Di0000000ZGn2, CN=sf_selfsigned
2014-02-16 09:40:50,337 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - Cannot extract access location of OCSP responder.
java.lang.NullPointerException
at java.io.ByteArrayInputStream.<init>(ByteArrayInputStream.java:106)
at org.bouncycastle.asn1.ASN1InputStream.<init>(Unknown Source)
at dk.itst.oiosaml.sp.metadata.CRLChecker.getOCSPUrl(CRLChecker.java:261)
at dk.itst.oiosaml.sp.metadata.CRLChecker.doOCSPCheck(CRLChecker.java:143)
at dk.itst.oiosaml.sp.metadata.CRLChecker.checkCertificates(CRLChecker.java:99)
at dk.itst.oiosaml.sp.metadata.CRLChecker$1.run(CRLChecker.java:477)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
2014-02-16 09:40:50,338 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - No OCSP access location could be found for https://cws-dev-ed.my.salesforce.com
2014-02-16 09:40:50,338 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - No CRL configured for https://cws-dev-ed.my.salesforce.com attempting to extract distribution point from certificate C=USA, ST=CA, L=San Francisco, O=Salesforce.com, OU=00Di0000000ZGn2, CN=sf_selfsigned
2014-02-16 09:40:50,338 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - No CRL url could be found for https://cws-dev-ed.my.salesforce.com
2014-02-16 09:40:50,338 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - Revocation check failed or could not be performed. Permanent failure.
2014-02-16 09:40:50,338 [INFO] OIOSAML_AUDIT_LOGGER - CRLCHECK <-- null null '' 'Revoked: YES' 'RequestID https://cws-dev-ed.my.salesforce.com'
2014-02-16 09:50:50,338 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - Running CRL checker task
2014-02-16 09:50:50,339 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - No OCSP configured for https://cws-dev-ed.my.salesforce.com attempting to extract OCSP location from certificate C=USA, ST=CA, L=San Francisco, O=Salesforce.com, OU=00Di0000000ZGn2, CN=sf_selfsigned
2014-02-16 09:50:50,339 [DEBUG] dk.itst.oiosaml.sp.metadata.CRLChecker - Cannot extract access location of OCSP responder.
java.lang.NullPointerException
at java.io.ByteArrayInputStream.<init>(ByteArrayInputStream.java:106)
at org.bouncycastle.asn1.ASN1InputStream.<init>(Unknown Source)
at dk.itst.oiosaml.sp.metadata.CRLChecker.getOCSPUrl(CRLChecker.java:261)
at dk.itst.oiosaml.sp.metadata.CRLChecker.doOCSPCheck(CRLChecker.java:143)
at dk.itst.oiosaml.sp.metadata.CRLChecker.checkCertificates(CRLChecker.java:99)
at dk.itst.oiosaml.sp.metadata.CRLChecker$1.run(CRLChecker.java:477)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)

Profilbillede

Uffe Seerup
18. februar 2014, 8:12

If you are using a self signed cert you'll have to change the certificate check "specification".

The default specification assumes a cert issued by some authority. A selv signed cert has no parent certificate chain. This causes the default specification to fail when it tries to validate your cert through a OCSP service (it cannot find such a service).

To fix this: Either chage the IdP cert to a certificate issued through another trusted certificate (remember to exchange metadata again) or change the specification to that of a self-signed cert.

Profilbillede

nitin gupta
18. februar 2014, 17:24

Thank you for confirming my suspicion.

Could you tell me how 

Profilbillede

nitin gupta
18. februar 2014, 17:27

Thank you for confirming my suspicion.

Could you tell me how to change the certificate check "specification" to that of a self-signed certificate?

Is there a property in oiosaml-sp.properties file or in another similar file that I can set to specify this?

Or do I need to change the IDP metadata? Here is the current IDP metadata:

==================






MIIEcjCCA1qgAwIBAgIOAUQvtBVXAAAAAGxBmRUwDQYJKoZIhvcNAQEFBQAwfjEWMBQGA1UEAwwNc2Zfc2VsZnNpZ25lZDEYMBYGA1UECwwPMDBEaTAwMDAwMDBaR24yMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTAeFw0xNDAyMTQwOTIyMTVaFw0xNjAyMTQwOTIyMTRaMH4xFjAUBgNVBAMMDXNmX3NlbGZzaWduZWQxGDAWBgNVBAsMDzAwRGkwMDAwMDAwWkduMjEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCy2Qw3BINOdVmKHOww1juFasLYIfGZ4dhxJeZZ/XGY6S14jTJ2n4mnIPY0zuFxKXN5VOkn9si3CHFkS1r1zmNsZm0NT5WQUPIhTR4jlK1hYYOfaU0E8+L1QIypFQU4+vPYj2gFnHRRRHcHAPZX02x3LvQK8H5qeAQudtYR6JrfY2zysLAuCTabxWHs+ZeqdHi5zY0sORuOnjQdp1nHYzj91XasVGdcsIdEhsMqHqVhXSqyM/tH9LBAg+J2MwUiNOcMdy3YTLqkfC3JoOGSdQ97f9CZO3ZROqrwidyKMYxhwv6KvaWXk4b8N55AggjX12b53UAdjxc8NYe9t+Lj0llAgMBAAGjge0wgeowHQYDVR0OBBYEFOAoj/7wVxsbiHEyG14zheY8CDljMIG3BgNVHSMEga8wgayAFOAoj/7wVxsbiHEyG14zheY8CDljoYGDpIGAMH4xFjAUBgNVBAMMDXNmX3NlbGZzaWduZWQxGDAWBgNVBAsMDzAwRGkwMDAwMDAwWkduMjEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFEL7QVbwAAAABsQZkVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAF+y03sPVsdcaauVZBNTCfD/X2UeAFeyd4MIPmVge2rPAyMzNMhCBejMZLPVnB9G3redn+IgGGichr7CqLceO8w/FjB1hi+NprbzVJqgTioC+qJdU9ulFcyCbxAl34ba4dccsK7AcEucL73Q9fkOAGJgvBjle5fy4KXfVbDzGQ6nXORFoYg5gT9RqdYrIkfUjw2ZOr2tQtBE09SyTQo6zgPkAmsHlS6Xd+iRXGTEv0lJdk46nvkCNvAGTIQ2/k11X+7iJg3HVxKBxCfr1VC5O/fgzG+nYRNMPZ3SQt3Y84lzm/VALxQ2PyAfAxbLKnLpWk71XMDe2ck2YyyShXVQKDk=



urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified



=======================

Thanks,
Nitin

 

Profilbillede

Uffe Seerup
18. februar 2014, 22:15

Hi Nitin

Unfortunately I was wrong about the "specification": It is only in the .NET version of OIOSAML that you can configure an alternate certificate specification.

You'll have to change the IdP certificate to one that is not self-issued, specifially one that has a OCSP and/or CRL address for revocation checks.

Profilbillede

Robert Nilsen
03. april 2014, 15:41

Hi Uffe,

I am struggeling with the same as Nitin, and it is causing a problem for where changing IdP certificate is not that easy. Also, it is causing a problem in development and testing environments where we rely on self-signed certificates. Is there a plan to have an option to configure this in the oiosaml setup itself?

Profilbillede

gregw Greg
14. april 2014, 19:16

To use self-signed certificates, you can set the configuration property

oiosaml-sp.resolve.ignorecert = false

This will ignore certificate chains when validating documents.

We also had a problem implementing encrypted assertions, due to a combination of bugs in OIOSAML.java and OpenSAML2.  The net result is a NullPointerException when trying to process a SAML Response with an encrypted assertion.  I have attached a patch against the current SVN source that fixes this problem.

More details:

OIOSAML.java, once it decrypts an encrypted assertion, attempts to add that decrypted result to the collection of unencrypted assertions for the document.  However, the collection it modifies is actually a filtered collection from OpenSAML.  OpenSAML tries to manage document parent/child relationships, but does this in the wrong order, which results in all parent node references set to null.  This breaks later document tree navigation.

The fix is to not attempt to add the decrypted assertion as an unencrypted assertion, but rather, since that assertion collection is not referenced from any other scope, manage unencrypted/decrypted assertions entirely within the OIOResponse class.  This was partially implemented already, I just made it complete and explicitly commented as to why the original behavior does not work.

This necessitated also decrypting the assertion earlier in the process flow in SAMLAssertionConsumerHandler, as the decrypted version is needed when looking up the originating IDP entity ID.

Profilbillede

Kasper Vestergaard Møller
15. juli 2014, 11:09

Hi Greg

Thanks for your input. We very much appreciate it.

It does seems like the code has some issues. We will look into your patch before the next release.

However, in our test environment the code does work with encrypted assertions and has done that for a long time. Do you claim that encrypted assertions fail in all situations or just in a specific context?

Regarding the "oiosaml-sp.resolve.ignorecert" configuration setting the documentation states that:

"Set to true to ignore certificate validation errors when using a SOAP backchannel to the IdP (used for ArtifactResolve requests)"

I have double checked with the code and the documentation seems to be correct. Thus, you still have to follow Uffes comment in order to get your SP up and running:

"You'll have to change the IdP certificate to one that is not self-issued, specifially one that has a OCSP and/or CRL address for revocation checks."

Best regards

Kasper Møller