Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-696

Picketlink SP errors out during signature validation on a Signed + Encrypted SAML token

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Major
    • None
    • PLINK_2.7.0.Final
    • SAML
    • None

    Description

      I am trying to consume a Signed + Encrypted SAML token from ADFS on JBoss-EAP 6.3 using Picketlink version 2.7. The token is decrypted correctly but during the next step of signature validation following error is generated:

      ERROR [org.picketlink.common] (http-/0.0.0.0:8443-1) Error validating signature:: java.lang.RuntimeException: PL00092: Null Value:Cannot find Signature element
      at org.picketlink.common.DefaultPicketLinkLogger.nullValueError(DefaultPicketLinkLogger.java:205)
      at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:498) [picketlink-federation-2.7.0.CR3.jar:]
      at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:309) [picketlink-federation-2.7.0.CR3.jar:]
      at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:142) [picketlink-federation-2.7.0.CR3.jar:]
      at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:88) [picketlink-federation-2.7.0.CR3.jar:]
      at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:62) [picketlink-federation-2.7.0.CR3.jar:]
      at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.7.0.CR3.jar:]
      at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-federation-2.7.0.CR3.jar:]
      at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:88) [picketlink-federation-2.7.0.CR3.jar:]
      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:503) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:481) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:342) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:269) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
      at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
      at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_71]

      On debugging I found that the decrypted assertion has all the necessary information for signature validation but the SAML2SignatureValidationHandler is not working with that decrypted assertion instead it is still trying to use the original encrypted SAML token. I am wondering if there is some setting on the SP side that I need to change for the handler chain to work correctly or I am running into a bug.

      Attachments

        Activity

          People

            psilva@redhat.com Pedro Igor Craveiro
            sheetul Sheetul Agrawal (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: