Re: [Dev] Error validating deflate signature-Could not extract the Signature from query string
Hi Darshana, Yes, this issue was not yet fixed but the effort is on hold at the moment due to other priorities. However what i was noticed by looking at the code is it seems 'signature' is resolved as an empty string in below code snippet. String signature = HTTPTransportUtils.getRawQueryStringParameter(queryString, "Signature"); Is this can be a configuration issue? Thanks for checking on this and will get back with the sso tracer when i start working on this again. Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Wed, May 25, 2016 at 6:58 AM, Darshana Gunawardana wrote: > Hi IsharaC, > > Were you able to resolve the issue? > > Seems like SAML request is using Redirect binding and setting the > signature included in to the request itself. If you still have the problem, > please share the sso trace from Firefox SAML tracer plugin so we can have a > look. > > Thanks, > > On Tue, May 17, 2016 at 2:51 PM, Ishara Cooray wrote: > >> Hi IS Team, >> >> I am working on a scenario where need signature validation for >> authentication requests coming from a jaggery app deployed in a AS. I have >> configured SSO with SAML 2.0 while IS as the identity provider (IS 5.0.0). >> >> For that, I have the 'Enable Signature Validation in Authentication >> Requests and Logout Requests' enabled in my Service provider. >> >> I have set signRequests to 'true' in SSORelyingParty as below. >> >> ssoRelyingParty.setProperty("signRequests", SSO_SIGN_REQUESTS); >> >> and i use Assertion Consumer URL as /publisher/jagg/jaggery_acs.jag >> or store/jagg/jaggery_acs.jag >> >> >> But, from the IS i get below error and auhtentication fails. >> Any help to figure out the issue would be appreciated. >> SAML 2.0 based Single Sign-On >> Error when processing the authentication request! >> Please try login again. >> >> *Error log in IS console :* >> >> TID: [0] [IS] [2016-05-17 01:42:41,874] ERROR >> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error validating >> deflate signature {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} >> org.opensaml.ws.security.SecurityPolicyException: *Could not extract the >> Signature from query string* >> at >> org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:144) >> at >> org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:68) >> at >> org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:859) >> at >> org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:795) >> at >> org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:91) >> at >> org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:140) >> at >> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleAuthenticationReponseFromFramework(SAMLSSOProviderServlet.java:670) >> at >> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:177) >> at >> org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:93) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >> at >> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) >> at >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) >> at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) >> at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) >> at >> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >> at >> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat
Re: [Dev] Error validating deflate signature-Could not extract the Signature from query string
Hi IsharaC, Were you able to resolve the issue? Seems like SAML request is using Redirect binding and setting the signature included in to the request itself. If you still have the problem, please share the sso trace from Firefox SAML tracer plugin so we can have a look. Thanks, On Tue, May 17, 2016 at 2:51 PM, Ishara Cooray wrote: > Hi IS Team, > > I am working on a scenario where need signature validation for > authentication requests coming from a jaggery app deployed in a AS. I have > configured SSO with SAML 2.0 while IS as the identity provider (IS 5.0.0). > > For that, I have the 'Enable Signature Validation in Authentication > Requests and Logout Requests' enabled in my Service provider. > > I have set signRequests to 'true' in SSORelyingParty as below. > > ssoRelyingParty.setProperty("signRequests", SSO_SIGN_REQUESTS); > > and i use Assertion Consumer URL as /publisher/jagg/jaggery_acs.jag > or store/jagg/jaggery_acs.jag > > > But, from the IS i get below error and auhtentication fails. > Any help to figure out the issue would be appreciated. > SAML 2.0 based Single Sign-On > Error when processing the authentication request! > Please try login again. > > *Error log in IS console :* > > TID: [0] [IS] [2016-05-17 01:42:41,874] ERROR > {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error validating > deflate signature {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} > org.opensaml.ws.security.SecurityPolicyException: *Could not extract the > Signature from query string* > at > org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:144) > at > org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:68) > at > org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:859) > at > org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:795) > at > org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:91) > at > org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:140) > at > org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleAuthenticationReponseFromFramework(SAMLSSOProviderServlet.java:670) > at > org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:177) > at > org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:93) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:735) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) > at > org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) > at > org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) > at > org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) > at > org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) > at > org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) > at > org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) > at > org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) > at > org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) > at > org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) > at > org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) > at > org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.inv
[Dev] Error validating deflate signature-Could not extract the Signature from query string
Hi IS Team, I am working on a scenario where need signature validation for authentication requests coming from a jaggery app deployed in a AS. I have configured SSO with SAML 2.0 while IS as the identity provider (IS 5.0.0). For that, I have the 'Enable Signature Validation in Authentication Requests and Logout Requests' enabled in my Service provider. I have set signRequests to 'true' in SSORelyingParty as below. ssoRelyingParty.setProperty("signRequests", SSO_SIGN_REQUESTS); and i use Assertion Consumer URL as /publisher/jagg/jaggery_acs.jag or store/jagg/jaggery_acs.jag But, from the IS i get below error and auhtentication fails. Any help to figure out the issue would be appreciated. SAML 2.0 based Single Sign-On Error when processing the authentication request! Please try login again. *Error log in IS console :* TID: [0] [IS] [2016-05-17 01:42:41,874] ERROR {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error validating deflate signature {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} org.opensaml.ws.security.SecurityPolicyException: *Could not extract the Signature from query string* at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:144) at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:68) at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:859) at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:795) at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:91) at org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:140) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleAuthenticationReponseFromFramework(SAMLSSOProviderServlet.java:670) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:177) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:93) at javax.servlet.http.HttpServlet.service(HttpServlet.java:735) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org