[OPENAM-10330] only one X509Certificate element from Meta data is used for signature validation Created: 05/Jan/17 Updated: 20/Sep/19
|Affects Version/s:||10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Mac OS X - 10.11.6
java version "1.8.0_111"
|Support Ticket IDs:|
Configure OpenAM as a SAML IdP and try to import the meta data of a remote SP which includes multiple X509Certificate Elements for signing as mentioned in https://www.w3.org/TR/xmldsig-core/#sec-X509Data.
SAML-SP initiated SSO fails with
However the root cause is that com.sun.identity.saml2.key.KeyUtil.getVerificationCerts(RoleDescriptorType roleDescriptor, String entityID,String role) does not extract both certificates but only one.
|Comment by Peter Major [X] (Inactive) [ 05/Jan/17 ]|
As long as OpenAM extracted the certificate with "signing" use, the implementation is correct.
|Comment by Bernhard Thalmayr [ 12/Jan/17 ]|
Workaround: Instead of specifying multiple certificates via the X509Certificate element as mentioned in the XML-Signature spec multiple <KeyDescriptor use="signing"> elements can be used as mentioned in the SAML meta data spec.
However I still have the filling both ways should be possible.
|Comment by Peter Major [X] (Inactive) [ 13/Jan/17 ]|
Thanks for the comment, sadly I have overlooked that the first signing KeyDescriptor had 2 X509Certificate elements... According to saml-dev mailing list the best solution would be to follow the following profile: