Hi team, I have tried SAML bearer in tenant mode and it is failing for signature validation. I have followed below steps to produce this:
- SP created for travelocity.com and an app for oauth(here myapp2) - Exported public certificate of the private key used at webapp side (here wso2carbon.cer) and imported this to tenant keystore. - Imported public key of tenant (here test.com) to webapp's keystore. - Modified travelocity.properties according to configurations. and the error log shows [2] Find the SAML configuration in attachment and jira has been raised for this [1] I could not get the point why this is failing and appreciate if anyone can clarify this issue. [1] https://wso2.org/jira/browse/IDENTITY-3625 [2] --------- [2015-09-24 14:21:59,074] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - Received a request : /oauth2/token [2015-09-24 14:21:59,074] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - ----------logging request headers.---------- [2015-09-24 14:21:59,074] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - content-type : application/x-www-form-urlencoded [2015-09-24 14:21:59,075] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - authorization : Basic bUdxWFNNdDd4RHhLNzEycjlHTEhMUFJMQUxRYTp4al9XWUdnb3F6cFN0VURKaTBNRDRnTm1QQ2Nh [2015-09-24 14:21:59,075] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - cache-control : no-cache [2015-09-24 14:21:59,075] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - pragma : no-cache [2015-09-24 14:21:59,075] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - user-agent : Java/1.7.0_80 [2015-09-24 14:21:59,075] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - host : localhost:9443 [2015-09-24 14:21:59,075] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - accept : text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 [2015-09-24 14:21:59,075] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - connection : keep-alive [2015-09-24 14:21:59,076] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - content-length : 4437 [2015-09-24 14:21:59,076] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - ----------logging request parameters.---------- [2015-09-24 14:21:59,076] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - grant_type - urn:ietf:params:oauth:grant-type:saml2-bearer [2015-09-24 14:21:59,076] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - client_id - null [2015-09-24 14:21:59,076] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - code - null [2015-09-24 14:21:59,076] DEBUG {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - redirect_uri - null [2015-09-24 14:21:59,077] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID mGqXSMt7xDxK712r9GLHLPRLALQa, User ID null, Scope : [] and Grant Type : urn:ietf:params:oauth:grant-type:saml2-bearer [2015-09-24 14:21:59,077] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: mGqXSMt7xDxK712r9GLHLPRLALQa [2015-09-24 14:21:59,077] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : urn:ietf:params:oauth:grant-type:saml2-bearer Strict client validation set to : null [2015-09-24 14:21:59,078] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were available in the cache for client id : mGqXSMt7xDxK712r9GLHLPRLALQa [2015-09-24 14:21:59,079] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : mGqXSMt7xDxK712r9GLHLPRLALQa [2015-09-24 14:21:59,080] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} - Received SAML assertion : <?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ceenhgjbpllaoakdoelhcanhedoappakdianaohb" IssueInstant="2015-09-24T08:51:18.439Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#ceenhgjbpllaoakdoelhcanhedoappakdianaohb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>ujddpzz54/lv07FWlH4BnDux0a0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>R+oV4MGmMJSQTEA8W7Z+MzgoTHQ0gT14wSfu6y2BwpaJ4A6a52C2VV88+6Ux/z6D+eD/vk+rPKdSa6m/rrktZ5/LlGIcoUOfm+GKISA5sF8hMWOMlN5zsGqBAEd1FXoDDOjH61v0YZqwaPHe+6Tjur37Ns+Qe0ij+y676PbvYsk=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICBTCCAW6gAwIBAgIElJ+ePTANBgkqhkiG9w0BAQQFADBHMREwDwYDVQQDEwh0ZXN0LmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTUwODIxMTEzMzAxWhcNMjUwOTE3MTEzMzAxWjBHMREwDwYDVQQDEwh0ZXN0LmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALApNnyqzdZrbJzG12idPOjuqsKe0wrLiPie24Wx5qjQlEuUfeNtt3BWd8vs4Wi85p9GQaJbmkGqcU07PynPFGk6jvpSEk42tJJsNfbnsNjBoAuc2RFCDGta/xHQGiEER95yfRRvvYxhv5WHIYw8h9qhTGe8y+JrXIjUusgiG81BAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAJhTyFmm7Y1xVCKCFdI/kaElCV//FOiCiXMck1IfuIpQz/jc2TXQ+CwvCWfKJawx+4D2m+oVnl3gTsW1ytIuOlZJWF5AS7+K8iCpeR5Hd9Tklr/p1WpTYBU7CQL2eNTvJerYT5aUf0i04C/O1aEy12ZZO/50l7azTF+c+YEelbhg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> [email protected]</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="blheebejpbnhmdnddkhpcokdlfghacojjiiembop" NotOnOrAfter="2015-09-24T08:56:18.439Z" Recipient=" http://localhost:8080/travelocity.com/home.jsp"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="blheebejpbnhmdnddkhpcokdlfghacojjiiembop" NotOnOrAfter="2015-09-24T08:56:18.439Z" Recipient=" https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-09-24T08:51:18.439Z" NotOnOrAfter="2015-09-24T08:56:18.439Z"><saml2:AudienceRestriction><saml2:Audience> [email protected]</saml2:Audience><saml2:Audience> https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-09-24T08:51:18.440Z" SessionIndex="2c923d0f-a827-4647-9157-39dbeaca57d2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion> [2015-09-24 14:21:59,090] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} - Error while validating the signature. org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) at org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:436) at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:145) at org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:195) at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:252) at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:116) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180) at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:194) at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100) at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:203) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:159) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) [2015-09-24 14:21:59,092] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected] Client Id : mGqXSMt7xDxK712r9GLHLPRLALQa Scope : null [2015-09-24 14:21:59,092] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected] Client Id : mGqXSMt7xDxK712r9GLHLPRLALQa Scope : null [2015-09-24 14:21:59,093] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Invalid Grant provided by the client, id=mGqXSMt7xDxK712r9GLHLPRLALQa, user-name= [email protected] to application=myapp2 [2015-09-24 14:21:59,093] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - OAuth-Error-Code=invalid_grant client-id=mGqXSMt7xDxK712r9GLHLPRLALQa grant-type=urn:ietf:params:oauth:grant-type:saml2-bearer scope= Thanks & Kind regards, -- Kavitha.S *Software Engineer -QA* Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
