0 Replies Latest reply on Sep 26, 2013 6:36 PM by andriy.bulynko

    SAML SSO integration with ADFS  - Unable to verify signature - Cannot resolve element with ID

    andriy.bulynko
    andriy.bulynko Sep 26, 2013 6:36 PM

      We're looking at implementing federated logon with ADFS. We're trying to use SPFilter (picketlink-2.5.2.Final) on Tomcat 7. When attempting to validate signed content inside the samlp:Response from ADFS, the following exception occurs in the SPFilter (see below).

       

      Debugging the code we were able to see that the problem has to do with the doc.getElementById(id) call inside the ResolverFragment::engineResolveURI() method. It seems that even though the document has an element with the correct ID attribute, that element is not getting picked up by the getElementById() call (i.e. ID attribute is not of ID type). Is this a configuration issue on our end or a bug in picketlink?

       

      [2013-09-26 18:16:08,612] ERROR org.picketlink.identity.federation.web.filters.SPFilter(601) verifySignature (http-bio-18443-exec-4)- Unable to verify signature

      javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8

          at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:421)

          at org.apache.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:383)

          at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:267)

          at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:494)

          at org.picketlink.identity.federation.web.filters.SPFilter.verifySignature(SPFilter.java:591)

          at org.picketlink.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:270)

          at com.signiant.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:20)

          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)

          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

          at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)

          at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)

          at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

          at java.lang.Thread.run(Thread.java:724)

      Caused by: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8

          at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:122)

          at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:415)

          ... 22 more

      Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8

          at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:85)

          at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:295)

          at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:280)

          at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:115)

          ... 23 more

      javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8

          at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:122)

          at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:415)

          at org.apache.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:383)

          at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:267)

          at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:494)

          at org.picketlink.identity.federation.web.filters.SPFilter.verifySignature(SPFilter.java:591)

          at org.picketlink.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:270)

          at com.signiant.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:20)

          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)

          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

          at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)

          at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)

          at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

          at java.lang.Thread.run(Thread.java:724)

      Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8

          at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:85)

          at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:295)

          at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:280)

          at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:115)

          ... 23 more

      [2013-09-26 18:16:08,613] ERROR org.picketlink.identity.federation.web.filters.SPFilter(323) doFilter (http-bio-18443-exec-4)- Server Exception:

      javax.servlet.ServletException: PL00009: Invalid Digital Signature:Cannot verify sender

          at org.picketlink.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:271)

          at com.signiant.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:20)

          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)

          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

          at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)

          at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)

          at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

          at java.lang.Thread.run(Thread.java:724)