Сan’t get a SAML response from ADFS server
Question
We have ADFS server (windows server 2012 R2). Need to add authorization in custom application (lib spring-security-saml2-core).
Authentication steps:
1) create SAML AuthRequest and send to ADFS server
2) User is automatically redirected to the login page of the server, enters the correct credentials
3) No response from server. Error in log:
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
Can anyone help with this error? How to get a response?
We use this article to configure certificates and jks file: https://docs.microfocus.com/SM/9.61/Hybrid/Content/security/tasks/configure_saml_setup_relationship_between_idm_adfs.htm
Security XML:
<!-- ADFS filter -->
<bean id="adfsAuthenticationProcessingFilter"
class="com.webapp.filter.ADFSAuthenticationProcessingFilter">
<property name="authenticationManager" ref="samlAuthenticationManager"/>
<property name="authenticationSuccessHandler" ref="logAuthenticationSuccessHandler"/>
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
<property name="sessionAuthenticationStrategy" ref="sessionFixationProtectionStrategy"/>
<property name="SAMLProcessor" ref="processor"/>
<property name="contextProvider" ref="contextProvider"/>
<property name="userManager" ref="userManager"/>
</bean>
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter"
class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId"
value="http://{ADFS server}/adfs/services/trust"/>
<property name="requestSigned" value="false"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</property>
</bean>
</constructor-arg>
<property name="manager" ref="metadata"/>
</bean>
<bean id="metadata" class="org.springframework.security.saml.metadata.MetadataManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg name="metadata" type="java.io.File"
value="/WEB-INF/saml/sp_metadata.xml"/>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="metaiop"/>
<property name="signMetadata" value="true"/>
<property name="signingKey" value="keyName"/>
<property name="encryptionKey" value="keyName"/>
<property name="requireArtifactResolveSigned" value="true"/>
<property name="requireLogoutRequestSigned" value="true"/>
<property name="requireLogoutResponseSigned" value="true"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
<property name="requireValidMetadata" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg name="metadata" type="java.io.File"
value="/WEB-INF/saml/ip_metadata.xml"/>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="false"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="metaiop"/>
<property name="signMetadata" value="true"/>
<property name="signingKey" value="keyName"/>
<property name="encryptionKey" value="keyName"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
<property name="requireValidMetadata" value="false"/>
</bean>
</list>
</constructor-arg>
<property name="keyManager" ref="keyManager"/>
<property name="TLSConfigurer">
<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer">
<property name="keyManager" ref="keyManager"/>
<property name="trustedKeys">
<set>
</set>
</property>
</bean>
</property>
<property name="hostedSPName"
value="http://{ADFS server}/adfs/services/trust"/>
<property name="defaultIDP"
value="http://{ADFS server}/adfs/services/trust"/>
</bean>
<bean id="logAuthenticationSuccessHandler" parent="txProxyTemplate">
<property name="target">
<bean class="com.webapp.security.login.LogAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/startPage.htm"/>
<property name="requestCache" ref="savedRequestCache"/>
<property name="userDao" ref="userDao"/>
<property name="attemptsManager" ref="authenticationAttemptsManager"/>
<property name="userManager" ref="userManager"/>
</bean>
</property>
<property name="transactionAttributes">
<props>
<prop key="onAuthenticationSuccess">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
<!-- SAML 2.0 -->
<!-- Secured pages with SAML as entry point -->
<sec:http pattern="/saml/**" entry-point-ref="samlEntryPoint">
<sec:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<sec:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</sec:http>
<sec:http entry-point-ref="samlEntryPoint" use-expressions="false" pattern="/">
<sec:csrf/>
<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<sec:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<sec:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</sec:http>
<!-- Filters for processing of SAML messages -->
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map request-matcher="ant">
<sec:filter-chain pattern="/saml/login" filters="samlEntryPoint"/>
<sec:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<sec:filter-chain pattern="/saml/SSO" filters="samlWebSSOProcessingFilter"/>
<sec:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
<sec:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
</sec:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Handler deciding where to redirect user after failed login -->
<bean id="failureRedirectHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="useForward" value="true"/>
<property name="defaultFailureUrl" value="/error/403.jsf"/>
</bean>
<!-- Handler for successful logout -->
<bean id="successLogoutHandler"
class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/logout"/>
</bean>
<sec:authentication-manager alias="samlAuthenticationManager">
<!-- Register authentication manager for SAML provider -->
<sec:authentication-provider ref="samlAuthenticationProvider"/>
<!-- Register authentication manager for administration UI -->
<sec:authentication-provider>
<sec:user-service id="adminInterfaceService">
<sec:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="/WEB-INF/saml/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="123456"/>
<constructor-arg>
<map>
<entry key="keyName" value="1234567"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="keyName"/>
</bean>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
<property name="nameID"
value="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
<property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<property name="allowCreate" value="true"/>
<property name="assertionConsumerIndex" value="0"/>
<property name="passive" value="false"/>
<property name="relayState"
value="https://{application URL}/saml/SSO/login.htm"/>
<property name="forceAuthN" value="true"/>
<property name="authnContexts">
<list>
<value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</value>
</list>
</property>
</bean>
</property>
<property name="metadata" ref="metadata"/>
<property name="samlLogger" ref="samlLogger"/>
<property name="webSSOprofile" ref="webSSOprofile"/>
<property name="contextProvider" ref="contextProvider"/>
<property name="filterProcessesUrl" value="/login.htm"/>
</bean>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter"
class="org.springframework.security.saml.metadata.MetadataDisplayFilter">
<property name="manager" ref="metadata"/>
<property name="contextProvider" ref="contextProvider"/>
<property name="keyManager" ref="keyManager"/>
</bean>
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="samlAuthenticationProvider"
class="org.springframework.security.saml.SAMLAuthenticationProvider">
<property name="userDetails" ref="userDetails"/>
<property name="consumer" ref="webSSOprofileConsumer"/>
<property name="hokConsumer" ref="hokWebSSOprofileConsumer"/>
<property name="samlLogger" ref="samlLogger"/>
<property name="forcePrincipalAsString" value="false"/>
</bean>
<bean id="userDetails" parent="txProxyTemplate">
<property name="target">
<bean class="com.webapp.security.SAMLUserDetails">
<property name="userDao" ref="userDao"/>
</bean>
</property>
<property name="transactionAttributes">
<props>
<prop key="load*">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
<!-- Provider of default SAML Context -->
<bean id="contextProvider"
class="org.springframework.security.saml.context.SAMLContextProviderImpl">
<property name="keyManager" ref="keyManager"/>
<property name="metadata" ref="metadata"/>
</bean>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter"
class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="samlAuthenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
<property name="contextProvider" ref="contextProvider"/>
<property name="SAMLProcessor" ref="processor"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter"
class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="samlAuthenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
<property name="contextProvider" ref="contextProvider"/>
<property name="SAMLProcessor" ref="processor"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
<!--Filter processing incoming logout messages -->
<!--First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter"
class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
<property name="SAMLProcessor" ref="samlProcessor"/>
<property name="contextProvider" ref="contextProvider"/>
<property name="logoutProfile" ref="logoutProfile"/>
<property name="samlLogger" ref="samlLogger"/>
</bean>
<bean id="logoutProfile"
class="org.springframework.security.saml.websso.SingleLogoutProfileImpl">
<property name="metadata" ref="metadata"/>
<property name="processor" ref="samlProcessor"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- Initialization of OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer"
class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
<property name="metadata" ref="metadata"/>
<property name="processor" ref="samlProcessor"/>
<property name="responseSkew" value="600"/>
<property name="maxAuthenticationAge" value="7200"/>
</bean>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer"
class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl">
<property name="metadata" ref="metadata"/>
<property name="processor" ref="samlProcessor"/>
</bean>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="com.webapp.filter.CustomWebSSOProfileImpl">
<property name="metadata" ref="metadata"/>
<property name="processor" ref="samlProcessor"/>
<!-- property name="metadataIssuerUrl" value="https://{ADFS server}/FederationMetadata/2007-06/FederationMetadata.xml" / -->
</bean>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile"
class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl">
<property name="metadata" ref="metadata"/>
<property name="processor" ref="samlProcessor"/>
</bean>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl">
<property name="metadata" ref="metadata"/>
<property name="processor" ref="samlProcessor"/>
</bean>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile"
class="org.springframework.security.saml.websso.SingleLogoutProfileImpl">
<property name="metadata" ref="metadata"/>
<property name="processor" ref="samlProcessor"/>
<property name="responseSkew" value="600"/>
</bean>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding"
class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding"
class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor" ref="samlProcessor"/>
<property name="metadata" ref="metadata"/>
</bean>
</constructor-arg>
</bean>
<bean id="samlProcessor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="httpPostBinding"/>
</bean>
<bean id="httpRedirectBinding"
class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="xmlHttpPostBinding"
class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg>
<bean class="org.opensaml.saml1.binding.decoding.HTTPPostDecoder">
<constructor-arg ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="com.webapp.filter.HttpRedirectDeflateAsHttpPostEncoder"/>
</constructor-arg>
</bean>
<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- Initialization of OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory"
factory-method="getEngine"/>
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool"
init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
SAML AuthRequest:
<!-- ADFS filter -->
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
AssertionConsumerServiceURL="https://{application URL}/saml/SSO/login.htm"
Destination="https://{ADFS server}/adfs/ls/" ForceAuthn="true"
ID="ID" IsPassive="false" IssueInstant="2019-08-28T07:36:16.121Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://{ADFS server URL}/adfs/services/trust</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#ID">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>pA3hIQrobfvJmjpV76SuMhfD5Ig=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature><saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
1 answers
solution1
0 2019-11-05 02:16:31
I recently worked on a project where we set up KeyCloak to act as an SP to ADFS IdP.
We were only able to get the SAML requests to process correctly when the following settings were set:
IdP URL: ${IDP_URL}/adfs/ls/
NameID Policy Format: persistent
WantAuthnRequestsSigned: true
WantAssertionsSigned: true
SignatureAlgorithm: RSA_SHA256
SAMLSignatureKeyName: CERT_SUBJECT
In addition to updating the NameID Policy on our side (as SP), we also had to have custom settings on the IdP side to ensure the NameID was sent back as format persistent .
I see from your authn request that the NameID Policy is currently set to emailAddress .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Login adfs in java and get assertion from saml response
Get request token from ADFS SAML .NET server from Java
Get a SAML2 Token from ADFS in Java
Retrieve Claims from SAML response received from ADFS
Error in response while using SAML oneLogin code to connect to ADFS as iDP
HttpClient can't get response from server
How to pass entire SAML token (from ADFS) to Consumer App (travelocity)
“urn:oasis:names:tc:SAML:2.0:status:Requester” in ADFS logout response
Spring SAML Single Sign on ADFS Response failure because status message is null
How to get response from server?
Related Tags