unable to validate signature from a keystone issued SAML assertion
Bug #1402916 reported by
Steve Martinelli
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Guang Yee | ||
Juno |
Fix Released
|
High
|
Guang Yee |
Bug Description
In the keystone 2 keystone federation workflow, a keystone acting as an SP should be able to validate the signature of a SAML assertion from a keystone acting as an IdP.
The current work around is to use the NullSecurity rule in the Security Policy file from Shibboleth (this file is usually located at /etc/shibboleth
<SecurityPolicies xmlns="
<Policy id="default" validate="false">
</Policy>
</SecurityPol
For what it's worth, it seems that mod_shib performs two other checks in a pipeline fashion, the others being "ExplicitKey" and "PKIX" checks
Changed in keystone: | |
assignee: | nobody → Guang Yee (guang-yee) |
no longer affects: | keystone/kilo |
Changed in keystone: | |
milestone: | none → kilo-2 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-2 → 2015.1.0 |
To post a comment you must log in.
The logs from shibboleth are as follows:
# tail -f /var/log/ shibboleth/ shibd.log MessageDecoder. SAML2ECP [2]: validating input MessageDecoder. SAML2ECP [2]: received message: schemas. xmlsoap. org/soap/ envelope/"> *** Truncated for clarity *** </soap11:Envelope> SecurityPolicyR ule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60) SecurityPolicyR ule.ClientCertA uth [2]: ignoring message, no issuer metadata supplied SecurityPolicyR ule.XMLSigning [2]: ignoring message, no issuer metadata supplied SecurityPolicyR ule.SimpleSigni ng [2]: ignoring message, no issuer metadata supplied MessageDecoder. SAML2 [2]: extracting issuer from SAML 2.0 protocol message MessageDecoder. SAML2 [2]: message from (https:/ /keystone. idp/keystone/ main/v3/ OS-FEDERATION/ saml2/idp) MessageDecoder. SAML2 [2]: searching metadata for message issuer... SecurityPolicyR ule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60) StorageService [2]: inserted record (ac89be0ee99348 1c957a5f02bf34a 0f0) in context (MessageFlow) with expiration (1418652199) SSO.SAML2 [2]: processing message against SAML 2.0 SSO profile SSO.SAML2 [2]: extracting issuer from SAML 2.0 assertion SecurityPolicyR ule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60) StorageService [2]: inserted record (10263fa4539c49 0598f70c86f3f0e 94b) in context (MessageFlow) with expiration (1418652199) SecurityPolicyR ule.XMLSigning [2]: validating signature profile TrustEngine. ExplicitKey [2]: attempting to validate signature with the peer's credentials TrustEngine. ExplicitKey [2]: public key did not validate signature: Digital signature does not validate with the supplied key. TrustEngine. ExplicitKey [2]: no peer credentials validated the signature TrustEngine. PKIX [2]: validating signature using certificate from within the signature TrustEngine. PKIX [2]: Digital signature does not validate with the supplied key. TrustEngine. PKIX [2]: failed to verify signature with embedded certificates SecurityPolicyR ule.XMLSigning [2]: unable to verify message signature with supplied trust engine SSO.SAML2 [2]: detected a problem with assertion: Message was signed, but sig...
2014-12-15 08:00:37 DEBUG Shibboleth.Listener [2]: dispatching message (default/SAML2/ECP)
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG OpenSAML.
<soap11:Envelope xmlns:soap11="http://
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG XMLTooling.
2014-12-15 08:00:37 DEBUG Shibboleth.
2014-12-15 08:00:37 DEBUG Shibboleth.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG XMLTooling.
2014-12-15 08:00:37 DEBUG OpenSAML.
2014-12-15 08:00:37 DEBUG XMLTooling.
2014-12-15 08:00:37 DEBUG XMLTooling.
2014-12-15 08:00:37 DEBUG XMLTooling.
2014-12-15 08:00:37 DEBUG XMLTooling.
2014-12-15 08:00:37 DEBUG XMLTooling.
2014-12-15 08:00:37 DEBUG XMLTooling.
2014-12-15 08:00:37 ERROR OpenSAML.
2014-12-15 08:00:37 WARN Shibboleth.