0 Replies Latest reply on Jun 6, 2018 7:40 AM by indranilrc

    EAP 6.4 + KeyCloak 3.4.3 - SAML logout error while validating signature

    indranilrc
    indranilrc Jun 6, 2018 7:40 AM

      I am trying to perform integration between sample picketlink SP application https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-federation-saml-sp-post-with-signature  and keycloak 3.4.3 IDP. The integration is based on HTTP POST with signatures.

       

      I have created the IDP certificate and client certificates (both are self-signed and created using keytool for testing purposes) and configured them in Keycloak IDP through admin console (See attached document with keycloak admin console snapshots - KeyCloak_Client_1.doc). On IDP side the IDP keystore was configured as a java keystore provider and On SP side keystore IDP certificate was imported and referred to in the ValidatingAlias element in picketlink configuration.

       

      On the SP application side I added sample index.jsp and logout pages to the SP picket link application (sourced from the https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-federation-saml-sp-post-basic project). The picketlink configuration is as following :

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true" LogOutPage="/logout.jsp">
<IdentityURL>http://localhost:8180/auth/realms/Nodes/protocol/saml</IdentityURL>
<ServiceURL>http://127.0.0.1:8080/sales-post-sig/</ServiceURL>
<Trust>
<Domains>127.0.0.1,localhost,jboss.com,jboss.org,amazonaws.com</Domains>
</Trust>
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/server.keystore" />
<Auth Key="KeyStorePass" Value="pass1" />
<Auth Key="SigningKeyPass" Value="pass1" />
<Auth Key="SigningKeyAlias" Value="testalias" />
<ValidatingAlias Key="localhost" Value="idptest" />
<ValidatingAlias Key="127.0.0.1" Value="idptest" />
</KeyProvider>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>
</PicketLink>

       

       

       

       

      Using the aforesaid configurations the Login process works as expected (login request - SAMLLoginRequest.xml,response- SAMLLoginResponse.xml and logout request - SAMLLogoutRequest.xml are all signed - see attached) - that is the application logs in the user correctly,however during logout (using http://host:port/sales-post-sig/?GLO=true) the response(see attached SAMLLogoutResponse.xml)  that is received by the EAP application is without any signature and hence the signature validation fails at SP side.The JBOSS EAP log is as following :

       

      12:58:49,468 ERROR [org.picketlink.common] (http-localhost/127.0.0.1:8080-1) Error validating signature:: java.lang.RuntimeException: PL00092: Null Value:Cannot find Signature element
    at org.picketlink.common.DefaultPicketLinkLogger.nullValueError(DefaultPicketLinkLogger.java:204)
    at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:498) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:309) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:120) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:91) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:58) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:101) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:494) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:473) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:344) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:272) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_151]

12:58:49,473 ERROR [org.picketlink.common] (http-localhost/127.0.0.1:8080-1) Service Provider could not handle the request.: org.picketlink.common.exceptions.ProcessingException: PL00009: Invalid Digital Signature:Error validating signature.
    at org.picketlink.common.DefaultPicketLinkLogger.samlHandlerInvalidSignatureError(DefaultPicketLinkLogger.java:1602)
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:123) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:91) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:58) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:101) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:494) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:473) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:344) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:272) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
    at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_151]

       

       

      Is there any specific configuration required at SP end to process the response without signature or should the logout response also be signed as the login response - if yes then what needs to be done to make sure that logout response from keycloak is also signed ?