The error is thrown because the SAML Assertion returned by the STS is not signed and hence Fediz does not trust it.
Colm. On Tue, Sep 18, 2012 at 5:00 PM, Jonny Moo <[email protected]>wrote: > Hi - I am trying to get Fediz to work with my hello world Java Web App, > using > StarterSTS as my STS/IP (just for dev / learning purposes). > > I'm getting an error stating - Federation processing failed - Security > token > has no signature > > Could someone point me in the general direction of what I should be doing > differently (be gentle - this whole area of ws-trust / federation is rather > confusing - I'm trying to find my way through it). > > Thanks > > Jonny > > The response from the STS is (fediz config below the response) > > <trust:RequestSecurityTokenResponseCollection > xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > <trust:RequestSecurityTokenResponse > Context="rm=0&amp;id=passive&amp;ru=%2fClaimsAwareTest%2f"> > <trust:Lifetime> > <wsu:Created > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">2012-09-18T15:25:17.517Z</wsu:Created> > <wsu:Expires > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">2012-09-18T16:25:17.517Z</wsu:Expires> > </trust:Lifetime> > <wsp:AppliesTo xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy";> > <EndpointReference xmlns=" > http://www.w3.org/2005/08/addressing";> > <Address> > https://dev-ws1-1.dev.local:8482/ClaimsAwareTest/</Address> > </EndpointReference> > </wsp:AppliesTo> > <trust:RequestedSecurityToken> > <xenc:EncryptedData Type=" > http://www.w3.org/2001/04/xmlenc#Element"; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> > <KeyInfo xmlns=" > http://www.w3.org/2000/09/xmldsig#";> > <e:EncryptedKey xmlns:e=" > http://www.w3.org/2001/04/xmlenc#";> > <e:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> > </e:EncryptionMethod> > <KeyInfo> > > <o:SecurityTokenReference > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <X509Data> > > <X509IssuerSerial> > > <X509IssuerName>CN=dev-ws1-1.dev.local</X509IssuerName> > > > <X509SerialNumber>139718072306124655679049092796879292434</X509SerialNumber> > > </X509IssuerSerial> > </X509Data> > > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > > <e:CipherValue>Some stuff - i've stripped this out to make the post a > bit shorter</e:CipherValue> > </e:CipherData> > </e:EncryptedKey> > </KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>more > stuff</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </trust:RequestedSecurityToken> > <trust:RequestedAttachedReference> > <o:SecurityTokenReference > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <o:KeyIdentifier > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > ">_bb4531da-6bc5-45ed-81b0-1837436c9546</o:KeyIdentifier> > </o:SecurityTokenReference> > </trust:RequestedAttachedReference> > <trust:RequestedUnattachedReference> > <o:SecurityTokenReference > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <o:KeyIdentifier > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > ">_bb4531da-6bc5-45ed-81b0-1837436c9546</o:KeyIdentifier> > </o:SecurityTokenReference> > </trust:RequestedUnattachedReference> > > <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType> > > <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </trust:RequestType> > > <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer > </trust:KeyType> > </trust:RequestSecurityTokenResponse> > </trust:RequestSecurityTokenResponseCollection> > > > My fediz_config looks like this: > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <FedizConfig> > <contextConfig name="/fedizhelloworld"> > <audienceUris> > > <audienceItem>https:// > /dev-ws1-1.dev.local:8481/fedizhelloworld/</audienceItem> > </audienceUris> > <certificateStores> > <trustManager> > <keyStore file="tomcat-rp.jks" > password="tompass" type="JKS" /> > </trustManager> > </certificateStores> > <trustedIssuers> > <issuer subject=".*CN=dev-ws1-1.dev.local.*" > certificateValidation="ChainTrust" > name="StarterSTSIssuer" /> > </trustedIssuers> > <maximumClockSkew>1000</maximumClockSkew> > <protocol xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="federationProtocolType" version="1.0.0"> > <realm> > https://dev-ws1-1.dev.local:8481/fedizhelloworld/</realm> > > <issuer>https://dev-ws1-1.dev.local:8482/StarterSTS/users/issue.aspx > </issuer> > <roleDelimiter>,</roleDelimiter> > > <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role > </roleURI> > > > <freshness>10000</freshness> > > > <claimTypesRequested> > <claimType type="a particular claim type" > optional="true" /> > </claimTypesRequested> > </protocol> > </contextConfig> > </FedizConfig> > > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Fediz-and-signatures-tp5714092.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
