hI.. Currently, I am integrating Company IDP with Jenkins.
in Saml Plugin, "signature is not trusted" Can you help me solve the Error? *[System Log]* *org.pac4j.saml.exceptions.SAMLSignatureValidationException: Signature is not trusted at *org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator.validateSignature(AbstractSAML2ResponseValidator.java:147) at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateAssertionSignature(SAML2AuthnResponseValidator.java:669) at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateAssertion(SAML2AuthnResponseValidator.java:392) at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateSamlSSOResponse(SAML2AuthnResponseValidator.java:303) at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validate(SAML2AuthnResponseValidator.java:97) *[package Log]* 1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine validateSuccessfully verified signature using KeyInfo-derived credential 1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine validateAttempting to establish trust of KeyInfo-derived credential 1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine validateFailed to establish trust of KeyInfo-derived credential 1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine validateFailed to verify signature and/or establish trust using any KeyInfo-derived credentials 1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine doValidateAttempting to verify signature using trusted credentials 1월 05, 2023 3:58:16 오후 미세 org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine doValidateFailed to verify signature using either KeyInfo-derived or directly trusted credentials *[IDP_metadata.xml]* <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="dev.idp.com"> <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" validUntil="2022-12-29T05:08:17.196Z"> <KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <X509Data> <X509Certificate> Security </X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://dev.idp.com:443/samlartresolve"; index="1"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://dev.idp.com:443/samlsso?tenantDomain=display.company"; ResponseLocation="https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev.idp.com:443/samlsso?tenantDomain=display.company"; ResponseLocation="https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev.idp.com:443/samlsso?tenantDomain=display.company"; ResponseLocation="https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> </IDPSSODescriptor> </EntityDescriptor> *[SP_metadata.xml]* <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_41c554a5919e46f7a861e48142ce7828f6eb6b3" entityID="http://sp/securityRealm/finishLogin"; validUntil="2043-01-05T06:58:16.644Z"> <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/> <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </md:Extensions> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> <md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"> <init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="http://sp/securityRealm/finishLogin"/> </md:Extensions> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate>Security</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate>Security</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://sp/securityRealm/finishLogin?logoutendpoint=true"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://sp/securityRealm/finishLogin?logoutendpoint=true"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://sp/securityRealm/finishLogin?logoutendpoint=true"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://sp/securityRealm/finishLogin?logoutendpoint=true"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://sp/securityRealm/finishLogin"; index="0"/> </md:SPSSODescriptor> </md:EntityDescriptor> *[IDP→SP Response]* <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response Destination="http://sp/securityRealm/finishLogin"; ID="_35252c6bbb5c64698a8fe152098273bd" InResponseTo="_b0ed88b36ddc44c5a4b9f9ddd08289dfd058745" IssueInstant="2023-01-05T07:24:23.120Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">dev.idp.com</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status> <saml2:Assertion ID="_4b558ed15d6584def6dadc8fb7c8be8c" IssueInstant="2023-01-05T07:24:23.120Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema";> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">dev.idp.com</saml2:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <Reference URI="#_4b558ed15d6584def6dadc8fb7c8be8c"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <DigestValue>gQ+c3WIINjjN9EnuVsQoBSfAK+o=</DigestValue> </Reference> </SignedInfo> <SignatureValue> ~~~Security~~~ </SignatureValue> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate> ~~~Security~~~ </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">MyName</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="_b0ed88b36ddc44c5a4b9f9ddd08289dfd058745" NotOnOrAfter="2023-01-05T07:29:23.120Z" Recipient="http://sp/securityRealm/finishLogin"; /></saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2023-01-05T07:24:23.120Z" NotOnOrAfter="2023-01-05T07:29:23.120Z"> <saml2:AudienceRestriction> <saml2:Audience>http://sp/securityRealm/finishLogin</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2023-01-05T04:25:58.646Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> ~~~~~ Attribute Block~~~~~~~ </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/075ab82e-9e5b-40cc-a9a5-44eaa674cdb1n%40googlegroups.com.
