[security-dev] SAML SSO with signatures error

Eric Wittmann eric.wittmann at redhat.com
Tue Jun 24 17:57:08 EDT 2014


We never enabled signatures when we were using the SP valve.  If it's 
useful I could try switching from the SPFilter to the SP valve and 
giving that a try...

-Eric

On 6/24/2014 4:41 PM, Pedro Igor Silva wrote:
> Did you have the same behavior when using the SP Valve ?
>
> ----- Original Message -----
> From: "Eric Wittmann" <eric.wittmann at redhat.com>
> To: security-dev at lists.jboss.org
> Sent: Tuesday, June 24, 2014 3:52:25 PM
> Subject: [security-dev] SAML SSO with signatures error
>
> Hi guys.
>
> I'm using the EAP IDP Valve with the SPFilter servlet filter running on
> EAP 6.3.0 to implement web SSO.  It works fine without signatures, but
> now I'm trying to enable signatures on the IDP (meaning I want the IDP
> to sign the saml response and I want the SPFilter to verify the sig).
> I'm using picketlink 2.5.3.SP1 packaged into the SP WAR.  I'm using
> whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think).
>
> I currently have two problems.  The first is that the SPFilter does this
> in the verifySignature() method:
>
>           URL issuerURL;
>           try {
>               issuerURL = new URL(issuerID);
>           } catch (MalformedURLException e1) {
>               throw new IssuerNotTrustedException(e1);
>           }
>
> This code fails for me because the issuerID in the saml response is
> "/overlord-idp/".  I haven't dug into this yet, but I imagine I need to
> tweak something on the IDP to get it to put in a full issuer into the
> saml response.
>
> I can get past that with the debugger (by modifying the issuerID value)
> but when I do I hit the following stack trace:
>
> https://gist.github.com/EricWittmann/f05b65689367ba321fc8
>
> The Signature in the saml response seems ok when I eyeball it.  That
> stack trace is pretty opaque to me - does anyone have any insight into it?
>
> -Eric
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>


More information about the security-dev mailing list