Total Pageviews

Thursday, September 13, 2018

OpenAM SAML configuration error "Missing signature algorithm"


ERROR: QuerySignatureUtil.verify: Null SigAlg query parameter.
libSAML2:07/05/2018 06:38:12:713 PM EDT: Thread[http-bio-127.0.0.1-8443-exec-3,5,main]: TransactionId[c6d8f6a3-a9e1-4820-a30b-38350fc47d11-51806]
ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.
com.sun.identity.saml2.common.SAML2Exception: Missing signature algorithm.

When coding make sure following.

Create your AuthN request making sure that when you create the signature to combine all 3 parameter elements and then sign it:


String authnrequest = "SAMLRequest=" + encodedRequestMessage
                                        + "&RelayState=" + URLEncoder.encode(relayURL, "UTF-8")
                                        + "&SigAlg=" + URLEncoder.encode(sigAlg, "UTF-8");
java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA");
signature.initSign(privateKey);
signature.update(authnrequest.getBytes(Charset.forName("UTF-8")));
byte[] signatureByteArray = signature.sign();

String signatureBase64encodedString = Base64.encodeBytes(signatureByteArray, Base64.DONT_BREAK_LINES);
return idpUrlREDIRECT + "?"
       + authnrequest
      + "&Signature="
      + URLEncoder.encode(signatureBase64encodedString, "UTF-8");




The resulting AuthN request should look something like the following:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                   AssertionConsumerServiceURL="http://localhost:8084/DBAuthentication/samllogin"
                   Destination="https://ssoidp.lb.com:443/openam/SSORedirect/metaAlias/idp"
                   ID="ckimokpjjjongadnnkfbophokmmhdfhilckkknac"
                   IssueInstant="2018-09-05T15:15:48.936Z"
                   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                   ProviderName="http://localhost:8084/DBAuth/sp"
                   Version="2.0">
 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8084/DBAuth/sp</saml:Issuer>
 <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
 <samlp:RequestedAuthnContext Comparison="exact">
   <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
 </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>






No comments:

Post a Comment