Problem signing SAML assertion

Folks,
I’m having some issues trying to generate a proper signed SAML assertion using JDeveloper 10.1.3. I am securing a java proxy class using the wizard as described in http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html .
On the OWSM side, I have a service that I am securing with SAML - Verify WSS 1.0 Token. If I set the "Allow signed assertions only" property to false I can complete the service call. However, when it is set to true I am receiving the following fault:
javax.xml.rpc.soap.SOAPFaultException: SAML token verification failed.
When I examine the message going to OWSM in a packet analyzer, it is missing the signature in the SAML assertion. The <saml:Assertion> tags looks like:
      <saml:Assertion MajorVersion="1" MinorVersion="1"
                      xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                      AssertionID="yM0oqZgF0N1a1td6yzKgOQ22"
                      IssueInstant="2007-01-23T17:15:27Z"
                      Issuer="HealthMarkets_s3">
        <saml:Conditions NotBefore="2007-01-23T17:15:27Z"
                         NotOnOrAfter="2007-01-24T17:15:27Z"/>
        <saml:AuthenticationStatement AuthenticationInstant="2007-01-23T17:15:27Z"
                                      AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
          <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">client_s3</saml:NameIdentifier>
            <saml:SubjectConfirmation>
              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
          </saml:Subject>
        </saml:AuthenticationStatement>
      </saml:Assertion>I have selected the Sign Outbound Messages in step 3 of the Secure Web Proxy Wizard. This step uses the DSA-SHA1 algorithm.
Any help is greatly appreciated.
Thanks in advance,
Joseph

I do believe that JDev will produce a deployment descriptor that contains the WS-Security policy information. Can you post this? It should look something like this:
<oracle-webservice-clients>
<webservice-client>
<saml-token>
<signature-methods>RSA-SHA1</signature-methods>
</saml-token>
</webservice-client>
</oracle-webservice-clients>

Similar Messages

  • Problem with signed SAML assertion and Web Services Manager

    Folks,
    I’m having some issues trying to generate a proper signed SAML assertion using JDeveloper 10.1.3. I am securing a java proxy class using the wizard as described in http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html .
    On the OWSM side, I have a service that I am securing with SAML - Verify WSS 1.0 Token. If I set the "Allow signed assertions only" property to false I can complete the service call. However, when it is set to true I am receiving the following fault: javax.xml.rpc.soap.SOAPFaultException: SAML token verification failed.
    When I examine the message going to OWSM in a packet analyzer, it is missing the signature in the SAML assertion. The <saml:Assertion> tags looks like:
          <saml:Assertion MajorVersion="1" MinorVersion="1"
                          xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                          xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                          AssertionID="yM0oqZgF0N1a1td6yzKgOQ22"
                          IssueInstant="2007-01-23T17:15:27Z"
                          Issuer="HealthMarkets_s3">
            <saml:Conditions NotBefore="2007-01-23T17:15:27Z"
                             NotOnOrAfter="2007-01-24T17:15:27Z"/>
            <saml:AuthenticationStatement AuthenticationInstant="2007-01-23T17:15:27Z"
                                          AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
              <saml:Subject>
                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">client_s3</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
              </saml:Subject>
            </saml:AuthenticationStatement>
          </saml:AssertionI have selected the Sign Outbound Messages in step 3 of the Secure Web Proxy Wizard. This step uses the DSA-SHA1 algorithm.
    Any help is greatly appreciated.
    Thanks in advance,
    Joseph

    Thanks for the response. I am not using any pages for this application yet... just calling the web service from SOAP UI or any Web Service testing tool causes the problem.
    All that has to be done to replicate it is to build a simple EJB 3.0 JPA bean using the entities from tables wizard and then add named query as follows:
    @NamedQuery(name = "BomHeader.findByDesc", query = "select o from BomHeader o where o.bomDesc like :p_bomDesc")
    then build a session bean with the wizard that includes the JPA persistence unit and the entity and subsequently use the wizard to wrap the session bean in a web service.
    The whole replication process should take 5 minutes if you have some database tables to work with. It breaks when the web service is called.
    Thanks in advance

  • Problem with Oracle Security Developer Tools creating signed SAML Assertion

    Hi,
    I'm trying to use OSDT to create a signed SAML assertion.
    Basically, what I've done is to use the ST_Test.java sample and the SignXMLEnveloped.java sample together.
    This is just a proof-of-concept, so what I did was use the code from ST_Test.java to create the unsigned assertion, take the byte array that results, and use it in a ByteArrayInputStream feeding into slightly modified SignXMLEnveloped.java code.
    I was actually able to created a signed assertion, but the signature on the signed assertion does not validate.
    I think that the reason it doesn't validate is because the original code in SignXMLEnveloped.java sets the URI in the reference to "", whereas the reference should be to something like "XXXXXX", which is the "AssertionID" attribute on the Assertion element.
    However, if I modify the SignedXMLEnveloped code to do a setUri to "#XXXXXX", I get the following error:
    Exception in thread "main" oracle.security.xmlsec.dsig.SigningException: Cannot find node with @Id="theassertion"
         at oracle.security.xmlsec.dsig.XSSignature.sign(Unknown Source)
         at SignXMLEnveloped.main(SignXMLEnveloped.java:116)
    Caused by: oracle.security.xmlsec.dsig.ReferenceException: Cannot find node with @Id="theassertion"
         at oracle.security.xmlsec.dsig.ObjectReference.dereference(Unknown Source)
         at oracle.security.xmlsec.dsig.XSReference.getTBDData(Unknown Source)
         at oracle.security.xmlsec.dsig.XSReference.computeDigest(Unknown Source)About to sign the Assertion...
         at oracle.security.xmlsec.dsig.XSReference.computeDigest(Unknown Source)
         at oracle.security.xmlsec.dsig.ReferenceList.computeRefDigests(Unknown Source)
         ... 2 more
    I think I know what the problem may be, but I'm not sure how to workaround it. I have written some apps to do digital signature verification before, and I know that there is a problem with SAML 1.1 called the "idness" problem, where the "AssertionID" attribute is not an "id" type attribute in the schema. I have a feeling that I'm running into the same problem here, with OSDT.
    Has anyone been successful at doing something like this with OSDT? If so, how?
    Thanks,
    Jim

    Hi,
    I was able to past my original problem, and can now sign the assertion which has the AssertionID attribute. I had to set the SAML version to 1.1 using initialize().
    Unfortunately, when I run the resulting signed assertion through a signature validation, it is failing to verify.
    I'm not sure why, but it is failing when it tries to verify the hash/digest on the reference.
    I am using a separate application that I wrote that uses Java6 and the security API that Java6 has, and with debugging enabled, I can see the dereferenced data that is being fed into the digester, and that looks correct, but the calculated digest doesn't match what my OSDT-based application generated.
    Anyone have any idea about what the problem might be?
    Thanks,
    Jim

  • Signed SAML assertion verification

    Hi,
    I am new to SAML configuration in weblogic. I have configured my asserting party to check for signature.
    I am sending a SAML request whose assertion is signed.
    Still I am getting the following in the log file: "Assertion is not signed"
    Any idea why it is not reading the signature?
    My SAML request is below.
    Any help is appreciated.
    Thanks,
    rabi
    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:quer="http://www.xyzcorp/procureservice/QueryGDS_US/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-6104382507547943490" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICTzCCAbgCBEb60nAwDQYJKoZIhvcNAQEEBQAwbjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEWMBQGA1UEChMNVElCQ09Tb2Z0d2FyZTERMA8GA1UECxMIU2VjdXJpdHkxCzAJBgNVBAMTAkNBMB4XDTA3MDkyNjIxNDMxMloXDTM3MDkxODIxNDMxMlowbzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEXMBUGA1UEChMOQUJDIEJvb2sgU3RvcmUxDjAMBgNVBAsTBUFkbWluMQ4wDAYDVQQDEwVBZG1pbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwbPFg87bOmFN4JWMfHxP9XPuuNxc+CNssVs2D4fERNEF1P//JFNGJeP4F2eVyAxvGIH07XcVdal3GNjtzZlDVAT+fNtYXNIs86a1MV2vrSrCfKzO/nj8Py8ey04mygzVboeLmzuv18NmfZy3eMySnypg1LZa1Uw2vp5DTf8OwhECAwEAATANBgkqhkiG9w0BAQQFAAOBgQAPwQBOHwjPalmSnUIvifqZZjeEFf5z6hMKpw2XoN3FV/ioLMt2yfmggmV8ic8B6XxnhVJBTC4PVp+nt86wXHwdgn0TMLWiHJLLVXHCBtrTGrmpRjaM/v3Gv3yG73XmKZ0y9g64lNC3RHqFdnKIFL3UVZ5e6KFd+YCNolj0vvtBRQ==</wsse:BinarySecurityToken>
    <Assertion AssertionID="/iEncjfEQdaj4R/lpzUI2qqSQGE=" IssueInstant="2008-10-31T00:00:02.687Z" Issuer="www.xxx.com" MajorVersion="1" MinorVersion="1" wsu:Id="/iEncjfEQdaj4R/lpzUI2qqSQGE=" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <Conditions NotBefore="2008-10-31T00:00:02.687Z" NotOnOrAfter="2008-10-31T00:05:02.687Z" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"/>
    <AuthenticationStatement AuthenticationInstant="2008-10-31T00:00:02.687Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">john</NameIdentifier>
    <SubjectConfirmation xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>
    </SubjectConfirmation>
    </Subject>
    </AuthenticationStatement>
    <AttributeStatement xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">john</NameIdentifier>
    <SubjectConfirmation xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>
    </SubjectConfirmation>
    </Subject>
    <Attribute AttributeName="roles" AttributeNamespace="http://namespace.amberpoint.com/amf" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <AttributeValue>Accounting Managers</AttributeValue>
    <AttributeValue>AddGroup</AttributeValue>
    <AttributeValue>CredentialTest</AttributeValue>
    </Attribute>
    </AttributeStatement>
    </Assertion>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#/iEncjfEQdaj4R/lpzUI2qqSQGE=">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>f4dfLpF6DdIE3cTf+sGjl6G/yBI=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#SecurityToken-6104382507547943490">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>ll+krZmSgjLyIzVSF60xhsGrCfU=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    ivD8jDZacvY3LpFbd9c1LAVULwbG6AvGGkqEImkmxGsg+okCTj7xb8e/+wTQBFJ0WD/h5Ts8GnYO
    7/UupD/PDPE/7X/P4UwDjM8R4KJQH85sGgs11Z+1q6GeHR89UVKekfoeUSAR6vEklmdW9G5GefEG
    PisX58KR9jATY16aGHo=
    </ds:SignatureValue>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference wsu:Id="com-amberpoint-generated-SecurityTokenReference-element_id-23999404" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Reference URI="#SecurityToken-6104382507547943490" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
    <quer:searchCar>
    <quer:country>JPN</quer:country>
    <quer:state>JPN</quer:state>
    <quer:pickUpCity>Tokyo</quer:pickUpCity>
    <!--Optional:-->
    <quer:dropOffCity>?</quer:dropOffCity>
    <quer:pickUpDate>?</quer:pickUpDate>
    <quer:dropOffDate>?</quer:dropOffDate>
    <!--Optional:-->
    <quer:rentalAgency>?</quer:rentalAgency>
    <!--Optional:-->
    <quer:carType>?</quer:carType>
    <!--Optional:-->
    <quer:carMake>?</quer:carMake>
    <!--Optional:-->
    <quer:nonSmoking>?</quer:nonSmoking>
    </quer:searchCar>
    </soapenv:Body>
    </soapenv:Envelope>

    Hi,
    I was able to past my original problem, and can now sign the assertion which has the AssertionID attribute. I had to set the SAML version to 1.1 using initialize().
    Unfortunately, when I run the resulting signed assertion through a signature validation, it is failing to verify.
    I'm not sure why, but it is failing when it tries to verify the hash/digest on the reference.
    I am using a separate application that I wrote that uses Java6 and the security API that Java6 has, and with debugging enabled, I can see the dereferenced data that is being fed into the digester, and that looks correct, but the calculated digest doesn't match what my OSDT-based application generated.
    Anyone have any idea about what the problem might be?
    Thanks,
    Jim

  • Problem with validating SAML assertion signature ("bad" certificate?)

    Hi,
    We've been developing and testing webservices and webservice clients under WebLogic for awhile. In our typical configuration, we have the SAML Credential mapper configured on the webservice client side, and the SAML Identity Asserter on the webservice side, and we are using "sender-vouches", whereby the SAML assertions are being signed by the SAML Credential mapper.
    Up through development, for the signing, we've been using certs issued by a test CA that we have, but now, we are moving to a pre-production environment, and we're required to use certs issued by a specific 3rd party CA. Since we've started using those new certs, we have been getting "token failed to validate" errors. We've been trying to diagnose this problem for awhile, and we're at the point that we believe that, for some reason, the certs that we got that were issued by the 3rd party CA are "bad".
    Specifically, those certs are SSL Server certs, with the following characteristics:
    Usages:
    Digital Signature
    Key Encipherment
    Key Agreement
    Netscape Type: SSL Server Authentication
    but, they also have two "extended usage extension" OIDs, both are "2.16.840.1.101.2.x.yy.zz".
    When we looked at the certs using various tools, e.g., "openssl x509...", etc., those extended usage extensions are being displayed as "unknown", which made us a littel suspicious about them, so I setup a simple test configuration with two WebLogic 10.0 MP1 instances.
    For testing, we first used a cert from the 3rd party CA, which gave us the "failed to validate token" errors.
    During this testing, we put a sniffer on the line, and captured the SOAP message with the signed SAML assertion, and we used a small Java app that I wrote awhile ago that will validate a digital signature. When we ran that Java app, the digital signature validated successfully (i.e., the digital signature was GOOD).
    This seems to imply that the "failed to validate token signature" errors are happening because of something other than the digital signature being incorrect.
    So, then, we created a certificate that matches the 3rd party CA certs almost exactly, except that we did not include the two extended usage extensions, and we configured the two WebLogic instances to use this new certificate.
    When we tested with the new certificate, we no longer got the errors.
    So, it appears that when the cert has those two enhanced usage extensions, WebLogic is either not willing to, or not able to, utilize the certs for validating digital signatures.
    Does anyone have any insight into this problem, or has anyone encountered a problem like this before?
    I also was wondering if there are any parameters for WebLogic that we might try to set that would tell WebLogic to perhaps ignore the certificate extensions and to just do the digital signature validation?
    Thanks,
    Jim

    Hi,
    FYI, we were able to resolve this problem today. It turned out to be that the certificate and key were not "matched".
    The way that we figured this out was to use openssl and the procedure here:
    http://kb.wisc.edu/middleware/page.php?id=4064
    which showed the mismatch.
    We've since generated a new cert request and got a new certificate, and it's working now.
    Jim

  • SAML assertion was used to sign a message, the verification of signature us

    CR325776, CR301621, CR331147
    When SAML assertion was used to sign a message, the verification of signature used to fail with NullPointerException.
    This problem has been resolved.
    We have 9.2 MP2 as our ALDSP weblogic server. Is there any way to do a smart Update from MP2 to MP3?
    Can it be done behind the proxy, ie., download the patch and install ?
    Our Unix server is Solaris. Please let us know.
    Thanks.

    we got the update and this has been resolved as we have installed weblogic 10.

  • ID4220 SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Please help!

    Hi Everyone,
    I really would appreciate some help or pointers on my situation. I have a SharePoint 2013 farm, 1 server is the DC and runs SQL, the other is the WFE Server with SharePoint and ADFS. I've configured Active Directory Certification Services and followed an
    excellent ADCS blog here. 
    I've gone ahead and configured ADFS and believe my Certificates to be sound as I have no warnings or anything for the Service Communication, Token Signing nor Token Decrypting Certificate. Below are my certs.
    I also configured the trusted relying party following numerous blogs (I did this a couple of times to make sure I didn't do anything wrong) but followed this blog.
    My Adfs RP looks like this:
    Upon configuring the relying trust for me SharePoint Web Application, I used a powershell script, added 3 claim mappings and specified the exported token signing certificate as the main certificate. Running Get-SPTrustedIdentityTokenIssuer I can confirm
    that I've added the Token Issuer, what I believe to be correct:
    ProviderUri                   : https://adfsportal.mvdb.com/adfs/ls/
    DefaultProviderRealm          : urn:sharepoint:adfs
    ProviderRealms                : {}
    ClaimTypes                    : {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn, 
                                    http://schemas.microsoft.com/ws/2008/06/identity/claims/role, 
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress}
    HasClaimTypeInformation       : True
    ClaimTypeInformation          : {Email Address, Account ID, Role}
    ClaimProviderName             : 
    UseWReplyParameter            : False
    UseWHomeRealmParameter        : False
    RegisteredIssuerName          : 
    IdentityClaimTypeInformation  : Microsoft.SharePoint.Administration.Claims.SPTrustedClaimTypeInformation
    Description                   : ADFS SAML Provider
    SigningCertificate            : [Subject]
                                      CN=tokensigning.adfs.mvdb.com
                                    [Issuer]
                                      CN=mvdb-MVDBPRIME-CA, DC=mvdb, DC=com
                                    [Serial Number]
                                      24000000036DEE002044F8EC45000000000003
                                    [Not Before]
                                      2014-03-24 10:35:17 AM
                                    [Not After]
                                      2016-03-23 10:35:17 AM
                                    [Thumbprint]
                                      ED85DB5F1FF564FD7F645E365EB52C2DB406B825
    AdditionalSigningCertificates : {}
    MetadataEndPoint              : 
    IsAutomaticallyUpdated        : False
    Name                          : SAML Provider
    TypeName                      : Microsoft.SharePoint.Administration.Claims.SPTrustedLoginProvider
    DisplayName                   : SAML Provider
    Id                            : 2f59bcca-6ee1-43ae-b9fa-f1b415cdd58b
    Status                        : Online
    Parent                        : SPSecurityTokenServiceManager Name=SecurityTokenServiceManager
    Version                       : 22046
    Properties                    : {}
    Farm                          : SPFarm Name=SharePoint_Config
    UpgradedPersistedProperties   : {}
    So then went and extended my Web Application, added a host header (secured with wildcard cert) and chose my trusted provider I've just added with the script. When logging on, sure enough, I get prompted with the login dropdown but as soon as I choose the
    adfs option I get:
    ID4220: The SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements,
    extend Saml11TokenSerializer and override ReadToken
    So far I have not been able to get further than this. I've double checked that I have given permissions on the token signing cert's private keys (read permissions on the ADFS service account as well as Network Service).
    Please help!
    -Mike

    Hi,
    According to your post, my understanding is that you got the “ID4220 SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken” error.
    I recommend to run Get-SPTrustedIdentityTokenIssuer PowerShell command on SharePoint server and look at the Trusted Identity Token Issuer to see if certificate associated was correct version of ADFS Token signing certificate.
    If you export ADFS Communication Certificate for ADFS Login URL instead of ADFS Token Signing Certificate, please export the correct version of ADFS Token Signing Certificate and rerun the
    following command on SharePoint Servers using SharePoint Install account to associate correct version of ADFS Signing certificate with SharePoint TrustedIdentityTokenIssuer and it should resolve the issue.
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Host\ADFS Signing.cer”)
    $sts = Get-SPTrustedIdentityTokenIssuer
    $sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert
    More information:
    SharePoint and ADFS Configuration Error – ID4220: The SAML
    Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken
    Thanks,
    Linda Li
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Linda Li
    TechNet Community Support

  • Verify signature on SAML assertion

    I've already asked this question on StackOverflow (http://stackoverflow.com/questions/25394137/verify-signature-on-saml-assertion), but I'm hoping to get a better response here. I'm trying to validate some SAML that looks like this:
    <samlp2:Response Destination="http://www.testhabaGoba.com" ID="ResponseId_934151edfe060ceec3067670c2f0f1ea" IssueInstant="2013-09-24T14:33:29.507Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    </ds:Signature>
    <saml2:Assertion ID="SamlAssertion-05fd8af7f2c9972e69cdbca612d3f3b8" IssueInstant="2013-09-24T14:33:29.496Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    </ds:Signature>
    </saml2:Assertion>
    </samlp2:Response>
    The signature on the response always passes, but the signature on the assertion always fails. Even when I use a SAML that doesn't sign the response the assertion signature fails. Here's a condensed version of the code I'm using:
    foreach (XmlElement node in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
    {// Verify this Signature block
    SignedXml signedXml = new SignedXml(node.ParentNode as XmlElement);
    signedXml.LoadXml(node);
    KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();
    // Verify certificate
    X509Certificate2 cert = x509Data.Certificates[0] as X509Certificate2;
    log.Info(string.Format("Cert s/n: {0}", cert.SerialNumber));
    VerifyX509Chain(cert);// Custom method
    // Check for approval
    X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection collection = store.Certificates.Find(X509FindType.FindBySerialNumber, cert.SerialNumber, true);
    Debug.Assert(collection.Count == 1);// Standing in for brevity
    // Verify signature
    signedXml.CheckSignature(cert, true);
    Everything works except the CheckSignature method. It's the only thing that fails and it always fails the SAML assertion. What am I doing wrong?

    Hello Matthew T. Ricks,
    Personally after reading your post I don't think this issue is related to this forum "Discuss and ask questions about the C# programming language, IDE, libraries, samples, and tools."
    The problem is due to SAML assertion fail and I read something like this
    http://docs.oracle.com/cd/E21455_01/common/tutorials/authn_saml_xml_sig.html to konw what is SAML and how it works. I will recommend you consult SAML related forum to ask this question.
    Regards,
    Barry
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Invoke a Webservice that return a SAML assertion

    Dear Developers,
    how can i invoke a Synchronous Webservices(AuthenticateUserService) that reteurn an authentication assertion (SAML assertion) and then use this authentication assertion to invoke another service.
    the AuthenticateUserService has one web service method "login" with the following parameter: loginRequest (with the attributes user and pass which are necessary for logon)
    loginResponse (with the response attribute authentication assertion and response message
    authentication assertion will be use to invoke another WebService
    thanks in advance

    Sorry my entity is like this...
    @Entity
    @Table(name = "V_I_ORGANISATIONS")
    Class InternalOrganisationImpl implements InternalOrganisation{
        @Id
        @Column(name = "IO_ID")
        @ManyToOne(cascade=javax.persistence.CascadeType.ALL)
        private Long id;
        @OneToOne
        @JoinColumn(name = "IO_PARENT_ID")
        private InternalOrganisation parent;
        @OneToMany(mappedBy="parent", fetch=FetchType.LAZY)
        private List<InternalOrganisation> children;
        public List<InternalOrganisation> getChildrenOrganisation(Long id){
            return children;
    }This example is fo a hierarchical table/entity but for other case, the problem is tha same...
    No dao there in of course!
    When I do this i've an error "reference to an unknow entity ... *InternalOrganisation*" (problem is the getChildren method)
    Yes it's normal as InternalOrganisation is an interface.
    So it's not possible to cretae inteface for entities?
    But how to create a webservices that return entities as those entities contains jpa annotations?
    Edited by: paf.be on May 16, 2008 9:54 AM

  • Help regarding SAML Assertion

    Can any one tell me what SAML assertion is all about?? and I just want to try out sample steps pertaining to SAML assertion in my policy editor.
    So Can any one of you kindly tell me a simple use case that you have tried out with SAML assertion. In the sense what all steps are to be added in the request pipeline ... and what are the configuration points in each step....
    I am stuck up with this usecase.
    Can any one of you owsm gurus can teach me with this...
    and at the same time can you guys suggest to me a sample document where I can get a usecase pertaining to SAML Assertion and WS-Security

    Thanks for your prompt reply Yogesh. I have created the keystore using the keytool utility. (say keystore location=C:\helloworld.jks and keystorepassword=welcome1)This is what the password that I created.
    Firstly,
    Creating keystore: I have used the commad some thing like;
    C:\>keytool -v -genkey -keyalg RSA -keysize 1024 -keystore owsm_client -storepas
    s clientpass -alias client -keypass client
    What is your first and last name?
    [Unknown]: manoj
    What is the name of your organizational unit?
    [Unknown]: ebi
    What is the name of your organization?
    [Unknown]: wipro
    What is the name of your City or Locality?
    [Unknown]: bangalore
    What is the name of your State or Province?
    [Unknown]: karnataka
    What is the two-letter country code for this unit?
    [Unknown]: IN
    Is CN="manoj ", OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
    [no]:
    Is CN="manoj ", OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
    [no]:
    What is your first and last name?
    [manoj ]: manoj
    What is the name of your organizational unit?
    [ebi]: ebi
    What is the name of your organization?
    [wipro]: wipro
    What is the name of your City or Locality?
    [bangalore]: bangalore
    What is the name of your State or Province?
    [karnataka]: karnataka
    What is the two-letter country code for this unit?
    [IN]: IN
    Is CN=manoj, OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
    [no]: yes
    Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
    for: CN=manoj, OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN
    [Storing owsm_client]
    C:\>keytool -keystore Helloworld.jks -genkey -keyalg RSA -alias Helloworld -dnam
    e "cn=IN, ou=ebi, o=wipro, L=bangalore, ST=karnataka"
    Enter keystore password: welcome1
    Enter key password for <Helloworld>
    (RETURN if same as keystore password): welcome1
    This is what I did. So I guess creation part of the keystore is done.
    Now I ll tell you the steps that I have used:
    In my request pipeline (gateway):
    1>extract credentials
    2>file authenticate(against .htpasswd)
    3>insert saml token 1.0 vouches
    (Key store location is specified above)a nd signature method was RSA-MD5)
    After this I committed the policy and then tried to test my page.
    The fault that it was throwing was: FAULT MESSAGE: Signing error:FAULT CODE: InvalidSecurity FAULT MESSAGE: Signature key not found
    can you please tell me why is the signature key not found despite of creating a java key store. Is is possible that the signature key is not found because of that certificate?
    can you please tell me what kind of certificate that I should take from verisign SSL test certificate or anything else.
    I hope you would revert to me as soon as possible and could you kindly send me the link where I might get that test certificate.
    I do have some doubts in policy editor options:
    what does that "assertion issuer " do
    what is that "subject format" (I made it as unspecified. If so how do I send that format)
    what does this do User Attributes for attribute statements string[]
    what does this do Corresponding namespace URIs for the user attributes string[]
    ----------------------------------------------------------------------------------------------------------------------- I am thinking of a scenario something like this.
    In the test page I ll be sending the request
    The policy manager of the gateway intercepts and does the following:
    1)it ll extract credentials(based on standard user name and token(WS-Basic))
    2)It authenticates the user against a file(.htpasswd)
    3)upon successful authentication,the next step would be Inserting saml token1.0 sender's vouches)step
    This ends the gateway part.........
    The request is then passed to the webservice and the request is intercepted by the serveragent before sending the request to the webservice.
    The serveragent does the following:
    3)verifies saml token that is created by the gateway before and upon successful verification it sends the request to the webservice.
    So I think (correct me if I am wrong) I need to make the policies in the request pipelines of the gateway and the serveragent. I don't want to lay any policy on the response message as of now.
    Could you tell me if this scenario works fine with owsm?
    could you tell me what is that keystore doing for me?
    Hope you would do the needful and revert to me as soon as possible
    Thanks and regards
    Mahes

  • NameQualifier missing in SAML assertion generated by WebLogic 10gR3

    I configured a SAML Credential Mapping Provider of type SAMLCredentialMapperV2 in WebLogic 10gR3. I entered "bea" for the NameQualifier field but the generated SAML assertion contains
    <Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myUser</NameIdentifier> ...
    where NameQualifier is missing.
    In WebLogic 9.2, the generated SAML assertion would contain
    <Subject>><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="bea">myUser</NameIdentifier> ...
    Is there any way to work around this problem? Thanks.

    I configured a SAML Credential Mapping Provider of type SAMLCredentialMapperV2 in WebLogic 10gR3. I entered "bea" for the NameQualifier field but the generated SAML assertion contains
    <Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myUser</NameIdentifier> ...
    where NameQualifier is missing.
    In WebLogic 9.2, the generated SAML assertion would contain
    <Subject>><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="bea">myUser</NameIdentifier> ...
    Is there any way to work around this problem? Thanks.

  • Problem signing in to adobe reader. Have a valid account but keeps coming up 'network error'.

    Had a problem signing in to my adobe reader account for about a week now.
    Use the PDF pack to convert Excel into PDF and have been using this for 6 months without any previous issues.
    Just comes up with 'network error occurred while trying to sign in' but my network is working fine and no other problems with my computer or network.
    I have tried unloading and reinstalling the PDF pack but makes no difference.
    Completely stuck, please help!

    Hi Sara,
    Thanks for the quick response.
    I am using the latest version or Reader XI.
    I can log in direct through cloud.acrobat.com so that is a way around the
    issue but I still need the use of the PDF pack ideally.
    If I try to log in to acrobat.com via the adobe Reader XI homepage then it
    comes up with the following - "We cant seem to find the internet. Please
    check your connection and try again"
    I am using my home wifi connection with no problems on any other computers
    or devices.

  • Im trying to do itunes match i get to the third part which it says gathering artwork and songs and about half way through it stops and says ther is a problem sign out and sign in again which i do and still it happens getting really frustrated please help

    Hi im having problems loading itunes match everytime it gets to the third installment it stops and tells me there is a problem sign out and sign in again which i do and still the same problem. I did get an email saying notice about your apple id and to verify now but when i go to page its saying 404 not found im now ready to ditch apple products and go else where every where i turn theres a problem this is my final calling please help.

    Hi im having problems loading itunes match everytime it gets to the third installment it stops and tells me there is a problem sign out and sign in again which i do and still the same problem. I did get an email saying notice about your apple id and to verify now but when i go to page its saying 404 not found im now ready to ditch apple products and go else where every where i turn theres a problem this is my final calling please help.

  • Problems signing in to PSE/PRE Forum and Customer Service

    Hello-I am presently  running PSE/PRE8 on a win8 computer with 12GB memory and1TB HDD. I am searching for information on PSE/PRE12. However, I am having problems with my PW/ID. I understand that Photoshop.com has been eliminated and this is the source of my sign-in problem. I change my PW and the new PW works for a while and it becomes the incorrect PW or User ID. Also,I added a new email address to support email problems. I was sent an email to click a verify link but the link was not included and the email was a noreply. I cannot contact Customer Service because it is sending noreply emails. I was able to signin to the forum during my last visit but was told that I was not eligible to post messages not answer post. I need to be able to reach Customer Service but I  preently do not have a method to contact  it. Thanks.

    Hello Jorma- Thanks for the response however,I cannot locate your response to my "Problems signing in to pse/pre forum and customer Service". I checked the Photoshop Elements forum but I was not able to locate the subject.

  • Parse a SAML assertion

    I want to parse a SAML assertion from an Identity Provider and use some
    of the data for identity injection. Anyway, the java identity injection
    plug-in can not access the SAML assertion, it can only access the
    username and password using the ExternalDataFillerContext object.
    Is it possible to extend tha authentication class to parse the SAML
    assertion and write out the data to the customisation profile? Which
    method or property returns the SAML assertion?
    Thank you,
    Alessandro
    afolli
    afolli's Profile: http://forums.novell.com/member.php?userid=6964
    View this thread: http://forums.novell.com/showthread.php?t=398904

    Hi. Thanks for the answer.
    I have two federated domains. The user requests a resource on domainA
    and he's redirected to IdpA for authentication. The user authenticate on
    IdpB and returns back. At this point I need to extract some info from
    the SAML assertion returned by IdpB.
    Do you think it's possible?
    Thanks,
    Alessandro
    mumasankar;1926007 Wrote:
    > The assertions are not stored on the session. It is little confusing
    > when you say you want to parse a SAML assertion from authentication
    > class. Usually, after authentication is done (after authentication class
    > finished exectuing), the response will be generated by the IDP and
    > assertion cration is part of the response.
    >
    > Can you please give details of your use case ?
    >
    > Regards,
    > Uma.
    afolli
    afolli's Profile: http://forums.novell.com/member.php?userid=6964
    View this thread: http://forums.novell.com/showthread.php?t=398904

Maybe you are looking for

  • Mid 2013 macbook air: battery drain / running hot

    Hi there, For the last couple weeks my MBA starts to run hot and drain battery fast if I've been using it for a few hours. I use it a lot on most days and connect to powercord only once it drops down low, like below 20%. Have just seen other posts wh

  • Signature Pad not displayed in IP14 (Signature Render Applet)

    After completing the setup detailed by Oracle to implement digital signature for non-pharma application (DOC ID 1980192.1 and DOC ID 1911649.1) we are able to paint the signature and save it in Singature Applet but it's not displayed in the Signature

  • Milestone Billing based on Percentage & Quantity

    Hi, Can you please guide how to map the following scenario I have Business Scenario in Milestone Billing. The Milestone terms are assigned in CJ20N and the same is copies to sales order. The Milestone terms defined in the Project are 50% Advance Paym

  • Jobs failing in SAP

    Hi, SAP re-org, performance monitor  and TMS jobs are failing continuously in the system with the message 'No logon possible (no hw ID received by mssg server)'. what could be the possible reason for this and the steps to correct this? Thanx Balaji S

  • How to copy and paste files and folders

    hi all i need to copy files and folder from one place to another place... how can i do it.. cud any1 help me pl