Re: [Dev] Error validating deflate signature-Could not extract the Signature from query string
Hi Darshana,
Yes, this issue was not yet fixed but the effort is on hold at the moment
due to other priorities.
However what i was noticed by looking at the code is
it seems 'signature' is resolved as an empty string in below code snippet.
String signature =
HTTPTransportUtils.getRawQueryStringParameter(queryString, "Signature");
Is this can be a configuration issue?
Thanks for checking on this and will get back with the sso tracer when i
start working on this again.
Regards,
Ishara Cooray
Senior Software Engineer
Mobile : +9477 262 9512
WSO2, Inc. | http://wso2.com/
Lean . Enterprise . Middleware
On Wed, May 25, 2016 at 6:58 AM, Darshana Gunawardana
wrote:
> Hi IsharaC,
>
> Were you able to resolve the issue?
>
> Seems like SAML request is using Redirect binding and setting the
> signature included in to the request itself. If you still have the problem,
> please share the sso trace from Firefox SAML tracer plugin so we can have a
> look.
>
> Thanks,
>
> On Tue, May 17, 2016 at 2:51 PM, Ishara Cooray wrote:
>
>> Hi IS Team,
>>
>> I am working on a scenario where need signature validation for
>> authentication requests coming from a jaggery app deployed in a AS. I have
>> configured SSO with SAML 2.0 while IS as the identity provider (IS 5.0.0).
>>
>> For that, I have the 'Enable Signature Validation in Authentication
>> Requests and Logout Requests' enabled in my Service provider.
>>
>> I have set signRequests to 'true' in SSORelyingParty as below.
>>
>> ssoRelyingParty.setProperty("signRequests", SSO_SIGN_REQUESTS);
>>
>> and i use Assertion Consumer URL as /publisher/jagg/jaggery_acs.jag
>> or store/jagg/jaggery_acs.jag
>>
>>
>> But, from the IS i get below error and auhtentication fails.
>> Any help to figure out the issue would be appreciated.
>> SAML 2.0 based Single Sign-On
>> Error when processing the authentication request!
>> Please try login again.
>>
>> *Error log in IS console :*
>>
>> TID: [0] [IS] [2016-05-17 01:42:41,874] ERROR
>> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error validating
>> deflate signature {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil}
>> org.opensaml.ws.security.SecurityPolicyException: *Could not extract the
>> Signature from query string*
>> at
>> org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:144)
>> at
>> org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:68)
>> at
>> org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:859)
>> at
>> org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:795)
>> at
>> org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:91)
>> at
>> org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:140)
>> at
>> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleAuthenticationReponseFromFramework(SAMLSSOProviderServlet.java:670)
>> at
>> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:177)
>> at
>> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:93)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
>> at
>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
>> at
>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
>> at
>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>> at
>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat
Re: [Dev] Error validating deflate signature-Could not extract the Signature from query string
Hi IsharaC,
Were you able to resolve the issue?
Seems like SAML request is using Redirect binding and setting the signature
included in to the request itself. If you still have the problem, please
share the sso trace from Firefox SAML tracer plugin so we can have a look.
Thanks,
On Tue, May 17, 2016 at 2:51 PM, Ishara Cooray wrote:
> Hi IS Team,
>
> I am working on a scenario where need signature validation for
> authentication requests coming from a jaggery app deployed in a AS. I have
> configured SSO with SAML 2.0 while IS as the identity provider (IS 5.0.0).
>
> For that, I have the 'Enable Signature Validation in Authentication
> Requests and Logout Requests' enabled in my Service provider.
>
> I have set signRequests to 'true' in SSORelyingParty as below.
>
> ssoRelyingParty.setProperty("signRequests", SSO_SIGN_REQUESTS);
>
> and i use Assertion Consumer URL as /publisher/jagg/jaggery_acs.jag
> or store/jagg/jaggery_acs.jag
>
>
> But, from the IS i get below error and auhtentication fails.
> Any help to figure out the issue would be appreciated.
> SAML 2.0 based Single Sign-On
> Error when processing the authentication request!
> Please try login again.
>
> *Error log in IS console :*
>
> TID: [0] [IS] [2016-05-17 01:42:41,874] ERROR
> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error validating
> deflate signature {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil}
> org.opensaml.ws.security.SecurityPolicyException: *Could not extract the
> Signature from query string*
> at
> org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:144)
> at
> org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:68)
> at
> org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:859)
> at
> org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:795)
> at
> org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:91)
> at
> org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:140)
> at
> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleAuthenticationReponseFromFramework(SAMLSSOProviderServlet.java:670)
> at
> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:177)
> at
> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:93)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
> at
> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
> at
> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
> at
> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at
> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
> at
> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
> at
> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
> at
> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
> at
> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
> at
> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.inv
[Dev] Error validating deflate signature-Could not extract the Signature from query string
Hi IS Team,
I am working on a scenario where need signature validation for
authentication requests coming from a jaggery app deployed in a AS. I have
configured SSO with SAML 2.0 while IS as the identity provider (IS 5.0.0).
For that, I have the 'Enable Signature Validation in Authentication
Requests and Logout Requests' enabled in my Service provider.
I have set signRequests to 'true' in SSORelyingParty as below.
ssoRelyingParty.setProperty("signRequests", SSO_SIGN_REQUESTS);
and i use Assertion Consumer URL as /publisher/jagg/jaggery_acs.jag
or store/jagg/jaggery_acs.jag
But, from the IS i get below error and auhtentication fails.
Any help to figure out the issue would be appreciated.
SAML 2.0 based Single Sign-On
Error when processing the authentication request!
Please try login again.
*Error log in IS console :*
TID: [0] [IS] [2016-05-17 01:42:41,874] ERROR
{org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error validating
deflate signature {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil}
org.opensaml.ws.security.SecurityPolicyException: *Could not extract the
Signature from query string*
at
org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:144)
at
org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:68)
at
org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:859)
at
org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:795)
at
org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:91)
at
org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:140)
at
org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleAuthenticationReponseFromFramework(SAMLSSOProviderServlet.java:670)
at
org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:177)
at
org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:93)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at
org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at
org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at
org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at
org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at
org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at
org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
at
org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at
org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
at
org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at
org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
at
org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at
org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at
org
