Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17452

SAML bearer grant flow using signed assertions fails - signature validation failure



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 7.1.0, 7.0.2
    • None
    • SAML
    • None
    • Rank:



      Performing a SAML2 Bearer grant flow using an assertion that is signed using default (test) signing keys fails.

      Reproduction steps (as per OPENAM-17322):

      1. Setup two AM servers, e.g. http://idp.amtest2.com:9080/access and http://sp.amtest2.com:7080/access. Both use embedded config and user stores, using port ranges of 59xxx for the IdP and 57xxx for the SP.
      2. On IdP, create a hosted IdP entity of http://idp.amtest2.com:9080/access, metaAlis of /idp.
      3. On SP create a hosted SP entity of http://sp.amtest2.com:7080/access, metaAlias of /sp. On Assertion Content tab, mark Assertions signed to be enabled.
      4. Using export metadata url, http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp exported IdP to xml file, then added as a remote IdP to SP.  Added to existing COT.
      5. Repeated above for SP metadata from http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp, saved page source to file then imported to IdP as a remote SP. Added to COT. Verified that Assertions were marked as signed.
      6. Verify that an IdP initiated SSO flow succeeds (can login at IdP, then SP and then see Single signon succeeded message): - http://idp.amtest2.com:9080/access/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=http://sp.amtest2.com:7080/access
      7. Then, on SP, in top level realm…
      8. Add OAuth2Provider service
      9. Create OAuth2 client
        name = ClientID
        password = password
        scope = openid profile
        default scope = openid
        add SAML2 to grant types 
        change authentication type to POST
      10. Using Logback.jsp, enable debug message for Federation logs and OAuth2Provider
      11. Repeat idpSSOInit - http://idp.amtest2.com:9080/access/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=http://sp.amtest2.com:7080/access
      12. Look into debug and take SAML assertion from there. Copy and paste into xml file, e.g. /opt/forgerock/saml-assertion-710.xml. Search and replace all occurrences of '[CONTINUE]' that appear at the start of each line in the logs.
      13. Issue the following command to obtain an access token (note this performs a base64url encode of the assertion from the file): curl k -v X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=ClientID&client_secret=password" --data-urlencode "assertion=`base64 --wrap=0 /opt/forgerock/saml-assertion-710.xml | sed 's/+//g; s/\//_/g';`" http://sp.amtest2.com:7080/access/oauth2/realms/root/access_token

      Expected behaviour:

      Either successful (i.e. access token returned, if OPENAM-17322 is also resolved) or the failure reported in OPENAM-17322 if not (

      {"error_description":"Not able to read user information.","error":"unauthorized_client"}


      Current behaviour:

      {"error_description":"Assertion signature is not valid","error":"invalid_grant"}

      Fails on signature verification against cert. Cert looks to be trusted, but then the verification in FMSigProvider.isValidSignature fails at call to signature.checkSignatureValue(certificate). Just returns false.

      The flow looks to be using the rsajwtsigningkey (set for saml signing in the default keystore).


          Issue Links



              Unassigned Unassigned
              lawrence.yarham Lawrence Yarham
              0 Vote for this issue
              4 Start watching this issue