Failed to verify signature and/or establish trust using any KeyInfo-derived credentials

Issue

  • SAML has abruptly stopped working, and no user can log in.
  • The Liferay console contains the following errors:
    DEBUG [ajp-nio-172.1.129.26-8080-exec-351][BaseSignatureTrustEngine:200] Attempting to establish trust of KeyInfo-derived credential
    DEBUG [ajp-nio-172.1.129.26-8080-exec-351][BaseSignatureTrustEngine:205] Failed to establish trust of KeyInfo-derived credential
    DEBUG [ajp-nio-172.1.129.26-8080-exec-351][BaseSignatureTrustEngine:216] Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
    DEBUG [ajp-nio-172.1.129.26-8080-exec-351][ExplicitKeySignatureTrustEngine:116] Attempting to verify signature using trusted credentials
    DEBUG [ajp-nio-172.1.129.26-8080-exec-351][ExplicitKeySignatureTrustEngine:124] Failed to verify signature using either KeyInfo-derived or directly trusted credentials
    DEBUG [ajp-nio-172.1.129.26-8080-exec-351][SAMLProtocolMessageXMLSignatureSecurityHandler:142] Message Handler: Validation of protocol message signature failed for context issuer 'MOSPI_WSO2_IS', message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
    DEBUG [ajp-nio-172.1.129.26-8080-exec-351][BaseSamlStrutsAction:56] com.liferay.saml.runtime.SamlException: org.opensaml.messaging.handler.MessageHandlerException: Validation of protocol message signature failed
    com.liferay.saml.runtime.SamlException: org.opensaml.messaging.handler.MessageHandlerException: Validation of protocol message signature failed

Environment

  • Liferay DXP 7.2 as SP 
  • WSO2 as IdP

Resolution

  • To begin, enable SAML debug level logs (Control Panel > Server Administration > Log Levels), this will help in obtaining the above errors for analysis.
  • The above errors indicate an issue with the way SAML-enabled identity or service providers are interacting with each other.
  • The metadata file in this scenario contains the certificate information, which has expired at the user's end. As a result, in order to narrow down or address this issue, the certificate must be changed, and new metadata should be generated and exchanged.
  • However, to avoid the certificate, try directly generating metadata with the current configuration.

Additional Information

  • SAML metadata is an XML document that contains the information necessary for interaction with SAML-enabled identity or service providers. The document contains e.g. URLs of endpoints, information about supported bindings, identifiers, and public keys. Typically one metadata document will be generated for your own service provider and sent to all identity providers you want to enable single sign-on with. Similarly, each identity provider will make its own metadata available for you to import into your service provider application.
¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0