SSO with signing and signature validation doesn't work

I have succesfully configured SSO using WSO2IS 4.6.0 and spring saml grails plugin, but when I enable signing and signature validation like this: <img src=https://www.e-learn.cn/content/wangluowenzhang/"https://i.stack.imgur.com/1Oopl.png" alt="enter image description here"> I see errors on WSO2 console

WARN {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Signature Validation Failed for the SAML Assertion : Signature is invalid. DEBUG org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed.

I exported default public key (wso2carbon) from WSO2 keystore (wso2carbon.jks), and inserted certificate into X509Certificate section in my SP and IdP metadata. Here is my IdP metadata:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://localhost:9443/samlsso" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>*** </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso" ResponseLocation="https://localhost:9443/samlsso"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/> </IDPSSODescriptor> </EntityDescriptor>

And SP metadata:

<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor entityID="local" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:Extensions> <idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8080/spring-security-saml/login/auth/alias/localhost?disco=true"/> </md:Extensions> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> **** </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8080/***/saml/logout/SingleLogout/local"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SSO/alias/local" index="0" isDefault="true"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8080/***/saml/SSO/alias/local" index="1" isDefault="false"/> </md:SPSSODescriptor> </md:EntityDescriptor>

My concern is that I use wrong certificate in either SP or IdP metadata, or it should be signed somehow.

What certificate should I use for IdP and what for SP metadata, and can I check if they are valid? How can I get it properly using public key exported from WSO2 keystore? Thank you!

UPDATE: It works on 5.1.0 even with incorrect certificates in metadata, looks like an issue. Here is 5.1.0 Configuration: <img src=https://www.e-learn.cn/content/wangluowenzhang/"https://i.stack.imgur.com/uNNkT.png" alt="enter image description here">


You have to import your IDP (Server) certificate as a trust in your SP machine.. Your IDP is hosted as https so.. Import IDP trust In SP box at your custom certificate location/JDK Cacerts (Java\jdk1.8.0_45\jre\lib\security\cacerts) and then you can try the below command to check your IDP descriptor URL is accessible from SP box like...



  • How to convert currency into double in VBA?
  • Okta SignIn Widget with SAML
  • IdentityServer3 - redirect to ADFS if client is on intranet
  • Two ways to execute a Stored procedure in VBA, Which one is better?
  • How create references between elements in XML
  • How to remove just the index name and not the content in Pandas multiindex data frame
  • InputDispatcher Error
  • Programmatically check if PHP is installed using Python
  • Fill SVG path with a background-image without knowing height&width
  • Giving security priviliege to a scheduler in Java EE 6
  • Why is OpenID Connect considered mobile friendly compared to SAML
  • Objective C IBOutlets
  • Heroku push rejected - Hartl's Rails 3.2 tutorial
  • jQuery - resize an elements height to match window without refreshing, on window resize
  • Splash Screen will not display
  • Aptana 3 remove bundle (jquery)
  • Xamarin Android | Layout style
  • How do I retrieve the user information of a user authenticated with Apache's mod_ldap?
  • Sending cookie value via httpget but not getting the desired response
  • How do I formally document a C# Attribute in UML?
  • How to convert SOAP response with xsi values to json in WSO2esb
  • Uncaught TypeError: $(…).select2 is not a function
  • How to get current document uri in XSLT?
  • JBoss External Properties Files in Classpath
  • Android - Material Design - NavigationView - How to put vertical scroll?
  • Why Encoding.ASCII != ASCIIEncoding.Default in C#?
  • Bad request using file_get_contents for PUT request in PHP
  • Jquery UI tool tip close icon
  • When to use `image` and when to use `Matrix` in Emgu CV?
  • Encrypt data by using a public key in c# and decrypt data by using a private key in php
  • Uncaught Error: Could not find module `ember-load-initializers`
  • Read text file and split every line in MSBuild
  • Deserializing XML into class C#
  • How to include full .NET prerequisite for Wix Burn installer
  • File not found error Google Drive API
  • costura.fody for a dll that references another dll
  • Observable and ngFor in Angular 2
  • UserPrincipal.Current returns apppool on IIS
  • java string with new operator and a literal
  • jQuery Masonry / Isotope and fluid images: Momentary overlap on window resize