Does anybody know the correct steps order of creating Signed SAML Authnentication Request?
I've tried with the below steps, but unfortunately the WSO2IS throws an exception
SHA1withRSA
) with the SAMLRequest=value&SigAlg=value
Thanks in advance
EXCEPTION MESSAGE:
ERROR {org.opensaml.xml.security.SigningUtil} - Error during signature verification java.security.SignatureException: Signature length not correct: got 252 but was expecting 256 at sun.security.rsa.RSASignature.engineVerify(Unknown Source) at java.security.Signature$Delegate.engineVerify(Unknown Source) at java.security.Signature.verify(Unknown Source) at org.opensaml.xml.security.SigningUtil.verify(SigningUtil.java:247) at org.opensaml.xml.security.SigningUtil.verify(SigningUtil.java:215) at org.opensaml.xml.security.SigningUtil.verifyWithURI(SigningUtil.java:184) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:156) at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:78) at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:625) at org.wso2.carbon.identity.sso.saml.util.SAMLSS OUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:578) at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:108) at org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:192) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequestFromLoginPage(SAMLSSOProviderServlet.java:415) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:127) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doPost(SAMLSSOProviderServlet.java:81) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
Following is the method what is in the spec for HTTP Redirected binding that is supported by WSO2IS. Therefore what you have done is not correct. I guess you have missed the compression part.
If SAML Request is signed with an XML signature. Then we need to sign the URL-encoded form of the message also as follows.
6.Signature algorithm identifier must be included as URL-encoded
7.Signature is constructed with for following string (here order is important)
SAMLRequest=value&RelayState=value&SigAlg=value
8.Signature value MUST be encoded using the base64 encoding with any whitespace removed, and included as a query string parameter named Signature
If you go through this sample SP implementation, you can see how it has been done. There is a class called SAML2SSOManager
and method buildRequest
. You can go through it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.