[security-dev] SAML SSO with signatures error

Pedro Igor Silva psilva at redhat.com
Tue Jun 24 16:41:43 EDT 2014


Did you have the same behavior when using the SP Valve ?

----- Original Message -----
From: "Eric Wittmann" <eric.wittmann at redhat.com>
To: security-dev at lists.jboss.org
Sent: Tuesday, June 24, 2014 3:52:25 PM
Subject: [security-dev] SAML SSO with signatures error

Hi guys.

I'm using the EAP IDP Valve with the SPFilter servlet filter running on 
EAP 6.3.0 to implement web SSO.  It works fine without signatures, but 
now I'm trying to enable signatures on the IDP (meaning I want the IDP 
to sign the saml response and I want the SPFilter to verify the sig). 
I'm using picketlink 2.5.3.SP1 packaged into the SP WAR.  I'm using 
whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think).

I currently have two problems.  The first is that the SPFilter does this 
in the verifySignature() method:

         URL issuerURL;
         try {
             issuerURL = new URL(issuerID);
         } catch (MalformedURLException e1) {
             throw new IssuerNotTrustedException(e1);
         }

This code fails for me because the issuerID in the saml response is 
"/overlord-idp/".  I haven't dug into this yet, but I imagine I need to 
tweak something on the IDP to get it to put in a full issuer into the 
saml response.

I can get past that with the debugger (by modifying the issuerID value) 
but when I do I hit the following stack trace:

https://gist.github.com/EricWittmann/f05b65689367ba321fc8

The Signature in the saml response seems ok when I eyeball it.  That 
stack trace is pretty opaque to me - does anyone have any insight into it?

-Eric
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev


More information about the security-dev mailing list