Use ExplicitKeySignatureTrustEngine for validating metadata file
I'm currently implementing Spring SAML 1.0.3 into my Spring Boot 2 server.
I'm part of a SAML federation and I'm given the metadata of all IdPs and SPs in a huge metadata file, and a separate public key to validate the metadata.
The server is failing to validate the metadata using the public key (present in the keystore) on startup, and throws a
org.opensaml.saml2.metadata.provider.FilterException:
Signature trust establishment failed for metadata entry
I think I've concluded that the problem lies in the fact that there is no <KeyInfo/> element inside the metadata <Signature/> element.
The default SignatureTrustEngine implementation that is used is PKIXSignatureTrustEngine, which seems to expect a <KeyInfo/> element inside the <Signature/> element. When it finds none, the metadata validation fails.
I think my problem would be solved by using the ExplicitKeySignatureTrustEngine implementation instead, which doesn't seem to be dependent on a <KeyInfo/> element for metadata validation. This implementation only checks the keys in the configurated keystore (where I've put the key).
How do I properly tell Spring SAML to use ExplicitKeySignatureTrustEngine instead of PKIXSignatureTrustEngine as it's SignatureTrustEngine when validating the metadata file?
spring spring-boot spring-saml
asked Nov 21 '18 at 9:52
darksmurfdarksmurf
91511119
add a comment |
I'm currently implementing Spring SAML 1.0.3 into my Spring Boot 2 server.
I'm part of a SAML federation and I'm given the metadata of all IdPs and SPs in a huge metadata file, and a separate public key to validate the metadata.
The server is failing to validate the metadata using the public key (present in the keystore) on startup, and throws a
org.opensaml.saml2.metadata.provider.FilterException:
Signature trust establishment failed for metadata entry
I think I've concluded that the problem lies in the fact that there is no <KeyInfo/> element inside the metadata <Signature/> element.
The default SignatureTrustEngine implementation that is used is PKIXSignatureTrustEngine, which seems to expect a <KeyInfo/> element inside the <Signature/> element. When it finds none, the metadata validation fails.
I think my problem would be solved by using the ExplicitKeySignatureTrustEngine implementation instead, which doesn't seem to be dependent on a <KeyInfo/> element for metadata validation. This implementation only checks the keys in the configurated keystore (where I've put the key).
How do I properly tell Spring SAML to use ExplicitKeySignatureTrustEngine instead of PKIXSignatureTrustEngine as it's SignatureTrustEngine when validating the metadata file?
spring spring-boot spring-saml
asked Nov 21 '18 at 9:52
darksmurfdarksmurf
91511119
add a comment |
I'm currently implementing Spring SAML 1.0.3 into my Spring Boot 2 server.
I'm part of a SAML federation and I'm given the metadata of all IdPs and SPs in a huge metadata file, and a separate public key to validate the metadata.
The server is failing to validate the metadata using the public key (present in the keystore) on startup, and throws a
org.opensaml.saml2.metadata.provider.FilterException:
Signature trust establishment failed for metadata entry
I think I've concluded that the problem lies in the fact that there is no <KeyInfo/> element inside the metadata <Signature/> element.
The default SignatureTrustEngine implementation that is used is PKIXSignatureTrustEngine, which seems to expect a <KeyInfo/> element inside the <Signature/> element. When it finds none, the metadata validation fails.
I think my problem would be solved by using the ExplicitKeySignatureTrustEngine implementation instead, which doesn't seem to be dependent on a <KeyInfo/> element for metadata validation. This implementation only checks the keys in the configurated keystore (where I've put the key).
How do I properly tell Spring SAML to use ExplicitKeySignatureTrustEngine instead of PKIXSignatureTrustEngine as it's SignatureTrustEngine when validating the metadata file?
spring spring-boot spring-saml
asked Nov 21 '18 at 9:52
darksmurfdarksmurf
91511119
I'm currently implementing Spring SAML 1.0.3 into my Spring Boot 2 server.
I'm part of a SAML federation and I'm given the metadata of all IdPs and SPs in a huge metadata file, and a separate public key to validate the metadata.
The server is failing to validate the metadata using the public key (present in the keystore) on startup, and throws a
org.opensaml.saml2.metadata.provider.FilterException:
Signature trust establishment failed for metadata entry
I think I've concluded that the problem lies in the fact that there is no <KeyInfo/> element inside the metadata <Signature/> element.
The default SignatureTrustEngine implementation that is used is PKIXSignatureTrustEngine, which seems to expect a <KeyInfo/> element inside the <Signature/> element. When it finds none, the metadata validation fails.
I think my problem would be solved by using the ExplicitKeySignatureTrustEngine implementation instead, which doesn't seem to be dependent on a <KeyInfo/> element for metadata validation. This implementation only checks the keys in the configurated keystore (where I've put the key).
How do I properly tell Spring SAML to use ExplicitKeySignatureTrustEngine instead of PKIXSignatureTrustEngine as it's SignatureTrustEngine when validating the metadata file?
spring spring-boot spring-saml
spring spring-boot spring-saml
asked Nov 21 '18 at 9:52
darksmurfdarksmurf
91511119
asked Nov 21 '18 at 9:52
darksmurfdarksmurf
91511119
edited Nov 21 '18 at 10:16
darksmurf
asked Nov 21 '18 at 9:52
darksmurfdarksmurf
91511119
asked Nov 21 '18 at 9:52
darksmurfdarksmurf
91511119
asked Nov 21 '18 at 9:52
darksmurfdarksmurf
91511119
91511119
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53409344%2fuse-explicitkeysignaturetrustengine-for-validating-metadata-file%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53409344%2fuse-explicitkeysignaturetrustengine-for-validating-metadata-file%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
