OneLogin Java-SAML SP无法向Shibboleth IdP提供签名的元数据

Question

When the sample application of OneLogin Java-SAML toolkit is configured to provide signed SP metadata to Shibboleth IdP, the IdP rejects the metadata signature complaining about invalid transform used in the signing process. However, the validation of the signature by standard XML tools like oXygen editor and the like succeeds.

The java-saml-tookit-jspsample-2.2.0 application has been configured to provide signed metadata to IdP ( onelogin.saml2.security.sign_metadata = true ) and the IdP's metadata-providers.xml contains configuration block using file-backed HTTP requiring signature validation.

What is wrong on this configuration?

Answer 1

After some hours of googling I found a similar issue in other software. The Java-SAML toolkit by OneLogin uses a cannonicalization method to sign the metadata that is legal, but it is NOT explicitly allowed by the SAML standard. If you check the section 5.5.4 of SAML2 specification, it states explicitly:

Signatures in SAML messages SHOULD NOT contain transforms other than the enveloped signature transform (with the identifier http://www.w3.org/2000/09/xmldsig#enveloped-signature ) or the exclusive canonicalization transforms (with the identifier http://www.w3.org/2001/10/xml-exc-c14n# or http://www.w3.org/2001/10/xml-exc-c14n#WithComments ). Verifiers of signatures MAY reject signatures that contain other transform algorithms as invalid.

The Java-SAML toolkit has a hard-wired setting for this using http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments instead that gets rejected by Shibboleth IdP. If you want to get things going, download the source of the Java-SAML toolkit from OneLogin, unpack it, and then change line 1056 of java-saml-2.2.0/core/src/main/java/com/onelogin/saml2/util/Util.java from

String c14nMethod = Constants.C14N_WC;

to

String c14nMethod = Constants.C14NEXC_WC;

Recompile using maven (mvn package) and re-deploy the application.