SAML SSO integration with ADFS - Unable to verify signature - Cannot resolve element with ID
andriy.bulynko Sep 26, 2013 6:36 PMWe're looking at implementing federated logon with ADFS. We're trying to use SPFilter (picketlink-2.5.2.Final) on Tomcat 7. When attempting to validate signed content inside the samlp:Response from ADFS, the following exception occurs in the SPFilter (see below).
Debugging the code we were able to see that the problem has to do with the doc.getElementById(id) call inside the ResolverFragment::engineResolveURI() method. It seems that even though the document has an element with the correct ID attribute, that element is not getting picked up by the getElementById() call (i.e. ID attribute is not of ID type). Is this a configuration issue on our end or a bug in picketlink?
[2013-09-26 18:16:08,612] ERROR org.picketlink.identity.federation.web.filters.SPFilter(601) verifySignature (http-bio-18443-exec-4)- Unable to verify signature
javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:421)
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:383)
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:267)
at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:494)
at org.picketlink.identity.federation.web.filters.SPFilter.verifySignature(SPFilter.java:591)
at org.picketlink.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:270)
at com.signiant.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:20)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8
at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:122)
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:415)
... 22 more
Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8
at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:85)
at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:295)
at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:280)
at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:115)
... 23 more
javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8
at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:122)
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:415)
at org.apache.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:383)
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:267)
at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:494)
at org.picketlink.identity.federation.web.filters.SPFilter.verifySignature(SPFilter.java:591)
at org.picketlink.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:270)
at com.signiant.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:20)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _8590a3df-21e3-4865-9094-eede1f59b1f8
at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:85)
at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:295)
at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:280)
at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:115)
... 23 more
[2013-09-26 18:16:08,613] ERROR org.picketlink.identity.federation.web.filters.SPFilter(323) doFilter (http-bio-18443-exec-4)- Server Exception:
javax.servlet.ServletException: PL00009: Invalid Digital Signature:Cannot verify sender
at org.picketlink.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:271)
at com.signiant.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:20)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)