The problem is probably that you are not correctly pasting the SAML token into SOAP-UI, and the signature fails due to whitespace validation. See this blog entry:
http://coheigea.blogspot.com/2016/09/invoking-on-talend-esb-sts-using-soapui.html "Bear in mind that if you wish to re-use the SAML Token retrieved from the STS in a subsequent request, you must copy it from the "Raw" tab and not the "XML" tab of the response. The latter adds in whitespace that breaks the signature on the token." Colm. On Wed, Nov 28, 2018 at 12:32 PM pat7 <[email protected]> wrote: > Hi, > I want to offer for clients to consume a service without a STSClient. In > detail I mean, the client contacts with a username token the STS endpoint > and receive a SAML2 bearer token. > After that the client takes the returned SAML2 bearer token and consume > other services. I configure the STS and implement the service and therefore > I am able to adapt it. > Moreover, everything works fine if I test a client using a STSClient. > If I test it with SOAPUI, I am able to request a SAML token from the STS. > The SAML assertion is taken into the header of the service request. After > calling the service with the SAML assertion I receive several errors on > server side. > > org.apache.cxf.binding.soap.SoapFault: A security error was encountered > when > verifying the message > at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault > (WSS4JUtils.java:233) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal > (WSS4JInInterceptor.java:324) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage > (WSS4JInInterceptor.java:171) > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor. > handleMessage(PolicyBasedWSS4JInInterceptor.java:80) > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor. > handleMessage(PolicyBasedWSS4JInInterceptor.java:66) > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept > (PhaseInterceptorChain.java:308) > Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML signature > validation failed > at > org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature > (SamlAssertionWrapper.java:624) > at org.apache.wss4j.dom.processor.SAMLTokenProcessor. > verifySignatureKeysAndAlgorithms(SAMLTokenProcessor.java:241) > at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken > (SAMLTokenProcessor.java:98) > at > org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader > (WSSecurityEngine.java:344) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal > (WSS4JInInterceptor.java:275) > ... 51 common frames omitted > Caused by: org.opensaml.xmlsec.signature.support.SignatureException: > Signature cryptographic validation not successful > at org.opensaml.xmlsec.signature.support.provider. > > ApacheSantuarioSignatureValidationProviderImpl.validate(ApacheSantuarioSignatureValidationProviderImpl.java:79) > at org.opensaml.xmlsec.signature.support.SignatureValidator. > validate(SignatureValidator.java:54) > at org.apache.wss4j.common.saml.SamlAssertionWrapper. > verifySignature(SamlAssertionWrapper.java:622) > At the beginning I disable pretty print because I read that pretty print > cause problems during copy – paste at SOAPUI. Unfortunately, disable pretty > print did not help. > After that I read the following Blog entry: > > http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html > > If I understand correct under point 3, I have to add a property to my > service endpoint like this … > “ws-security.saml2.validator”, stsTokenValidator() > The “stsTokenValidator” is a defined Bean. But I receive always the same > error like above. I am unsure if I am on the correct way by using a sts > token validator. > Does anybody know, where I do a mistake? > > I am using CXF 3.1.12 with Java 8. > > Regards, > Patrick > > > > > -- > Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
