Signature trust establishment failed for SAML metadata entry
Solution 1
You have most likely imported the HTTPS certificate, but not the certificate which is used to create the signature - they differ. You should:
Create file signature.cer with the following content taken from the metadata:
-----BEGIN CERTIFICATE----- MIIC7jCCAdagAwIBAgIQa+pSaOoDP6ZL3qAi564CxzANBgkqhkiG9w0BAQs FADAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSBzdHN0ZXN0LXJlcGx5bm V0LnJlcGx5Lml0MB4XDTE0MDQyMTAwMzUyNVoXDTE1MDQyMTAwMzUyNVowM zExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gc3RzdGVzdC1yZXBseW5ldC5y ZXBseS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJyI7Se +UGGHOGRcwHF8LrmivtcPJyNKyicPJ8UJ8pIsEmgYBnJIrpS05RkYtdUdk+ aumDlc3ACt23FxGDLy9hkJJlRbZwklzh4W3RqGC3W5Y+t7KeIuB8d7ZrrLb 2AoJpVHICRagsLjjHMwz9sJUt+PZdUFFc0pZckHba3TY2Y+MgPYVsyjlEkf QrwL0ggh23g9Pe1VQ9HaInXZvwVMGWZ1oL4Uk0cW11URa8x53ZOWMQSsksi MUlquItssiuJjRnI9Df+GaDxbQJi51esY2EF1o2JxqGJSA71Apy9EahDho8 eFkfOS0fYbVNBU5X/Wn7BKsf2Rmg3r6mQM94+gAA8CAwEAATANBgkqhkiG9 w0BAQsFAAOCAQEAIX5FEt5JWtINzy4C0LtTtta3DMOsLIBH3raRr53+6MKG sPP75VAt7fYUutopuk5Y2o++sVPuEuTzcogz5Dj8eglDESkPwR0PrlClVcG FLFEx9qOOidYIEa90g462niIOgkNkIpb1JRrmZEFo+yrYYdFSR2iXzC3O1f 7JAhNwi+d4a8cOTrqynqL6p1z+hiWEub39FlWDPacELw9HSDIYY151hiiPz vIRQDBOjDg3Ws8fRwYNjJH4ElwjP2z+1r+sktD/kkh8jj3iWhT37JnQG72D 7c63ovYICwEZUqS4L3vepO0pv6xewkUbfX4KBQbUPaVVgmVUcSecj85mvMx 42g== -----END CERTIFICATE-----Import the certificate to your samlKeystore.jks with:
keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file signature.cer
This should be all you need, just restart Tomcat and your metadata loading should now pass.
You don't need to include the HTTPS certificate in your JDK's cacerts in case you include the following bean which configures the HTTP client (available in Spring SAML 1.0.0.RELEASE):
<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer"/>
Solution 2
I'm posting this just in case if it may be helpful even after everything you did like accepted answer for this question and still get the same error.
I too had this problem, I have added IDP's metadata file and imported their certificate into my app keystore. But still had Signature trust verification problem. I did format the metadata.xml from IDP in Intellij, that did some screw up. Once I imported their metadata file as it without formatting, everything went ok.
Solution 3
I was facing the same issue.Steps that I have follwoed to resolve the same
- extract from IDP metdata fille
- copy the certificate in text file and save as.crt. e.g idp.crt
- import the crt file in key Store keytool -import -alias adfscert -file idp.crt -keystore samlKeystoreold.jks -storepass keystorepassword
- it will ask for is you trust this crt.. say yes
- for some cases it will ask to use in pkcs12 format add in warning message do the same
- try running your application it should work :)
vdenotaris
Program Manager at Google. Cloud Professional Architect and Security Engineer, IAM and PKI subject matter expert and Open Source enthusiast. Disclaimer: Comments and opinions are my own and not the views of my employer.
Updated on June 15, 2022Comments
-
vdenotaris almost 2 years
In order to fetch metadata from a remote source, I defined an
ExtendedMetadataDelegatebean as follows:@Bean @Qualifier("replyMeta") public ExtendedMetadataDelegate replyMetadataProvider() throws MetadataProviderException { String metadataURL = "https://ststest.mydomain.it/FederationMetadata/2007-06/FederationMetadata.xml"; final Timer backgroundTaskTimer = new Timer(true); HTTPMetadataProvider provider = new HTTPMetadataProvider( backgroundTaskTimer, httpClient(), metadataURL); provider.setParserPool(parserPool()); ExtendedMetadataDelegate emd = new ExtendedMetadataDelegate( provider, new ExtendedMetadata()); return emd; }To ensure the signature trust establishment, I added the related key both in JDK keystore and application keystore (the second step might not be enough); despite that, an error occurs by running the webapp.
[2014-08-18 14:36:47.200] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Attempting to validate signature using key from supplied credential [2014-08-18 14:36:47.200] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Creating XMLSignature object [2014-08-18 14:36:47.206] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 [2014-08-18 14:36:47.207] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' [2014-08-18 14:36:47.329] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Signature validated with key from supplied credential [2014-08-18 14:36:47.329] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful [2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential [2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential [2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BasicX509CredentialNameEvaluator: Supplied trusted names are null or empty, skipping name evaluation [2014-08-18 14:36:47.331] boot - 6000 DEBUG [localhost-startStop-1] --- MetadataCredentialResolver: Attempting PKIX path validation on untrusted credential: [subjectName='CN=ADFS Signing - ststest-replynet.reply.it'] [2014-08-18 14:36:47.346] boot - 6000 ERROR [localhost-startStop-1] --- MetadataCredentialResolver: PKIX path construction failed for untrusted credential: [subjectName='CN=ADFS Signing - ststest-replynet.reply.it']: unable to find valid certification path to requested target [2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: Signature trust could not be established via PKIX validation of signing credential [2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to establish trust of KeyInfo-derived credential [2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to verify signature and/or establish trust using any KeyInfo-derived credentials [2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: PKIX validation of signature failed, unable to resolve valid and trusted signing key [2014-08-18 14:36:47.347] boot - 6000 ERROR [localhost-startStop-1] --- SignatureValidationFilter: Signature trust establishment failed for metadata entry http://ststest-replynet.reply.it/adfs/services/trust [2014-08-18 14:36:47.349] boot - 6000 ERROR [localhost-startStop-1] --- AbstractReloadingMetadataProvider: Error filtering metadata from https://ststest-replynet.reply.it/FederationMetadata/2007-06/FederationMetadata.xml org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entryThe error disappears by setting:
emd.setMetadataTrustCheck(false);... but I'd like to check used metadata.
Is there a way to resolve this error?
Update:
I tried to setup the
ExtendedMetadataas follows but the error persists.em.setAlias("defaultAlias"); em.setSigningKey("*.mydomain.it (Go Daddy Secure Certification Authority)");