-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0
-
Fix Version/s: None
-
Labels:
-
Support Ticket IDs:
Configure OpenAM as a SAML IdP and try to import the meta data of a remote SP which includes multiple X509Certificate Elements for signing as mentioned in https://www.w3.org/TR/xmldsig-core/#sec-X509Data.
E.g.
excerpt from SP meta data
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="testSP" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> .... </ds:X509Certificate> <ds:X509Certificate> .... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> .... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> ....
SAML-SP initiated SSO fails with
excerpt from OpenAM Federation debug log
libSAML2:01/05/2017 02:35:29:922 PM CET: Thread[http-nio-9090-exec-3,5,main]: TransactionId[e0c5ca31-8ab3-4d80-8be0-fc47ff649997-1227] ERROR: FMSigProvider.verify: The cert contained in the document is NOT trusted libSAML2:01/05/2017 02:35:29:922 PM CET: Thread[http-nio-9090-exec-3,5,main]: TransactionId[e0c5ca31-8ab3-4d80-8be0-fc47ff649997-1227] ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed. com.sun.identity.saml2.common.SAML2Exception: The signing certificate does not match what's defined in the entity metadata. at com.sun.identity.saml2.xmlsig.FMSigProvider.verify(FMSigProvider.java:317) at com.sun.identity.saml2.protocol.impl.RequestAbstractImpl.isSignatureValid(RequestAbstractImpl.java:313) at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:182) at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:233) at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:142) at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:102) at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:176) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
However the root cause is that com.sun.identity.saml2.key.KeyUtil.getVerificationCerts(RoleDescriptorType roleDescriptor, String entityID,String role) does not extract both certificates but only one.