Try to disable all signature options at encryption options, it that works, your issue is related to the public Key you use locally in your SP that is not configured in your IdP or the public key on the IdP metadata is not valid
El jueves, 5 de enero de 2023 a las 17:06:25 UTC+1, zllxll...@gmail.com escribió: > > hI.. > > Currently, I am integrating Company IDP with Jenkins. > > in Saml Plugin, > > "signature is not trusted" > > Can you help me solve the Error? > > > *[System Log]* > *org.pac4j.saml.exceptions.SAMLSignatureValidationException: Signature is > not trusted at > *org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator.validateSignature(AbstractSAML2ResponseValidator.java:147) > > at > org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateAssertionSignature(SAML2AuthnResponseValidator.java:669) > > at > org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateAssertion(SAML2AuthnResponseValidator.java:392) > > at > org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateSamlSSOResponse(SAML2AuthnResponseValidator.java:303) > > at > org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validate(SAML2AuthnResponseValidator.java:97) > > > *[package Log]* > 1월 05, 2023 3:58:16 > 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine > validateSuccessfully verified signature using KeyInfo-derived credential 1월 > 05, 2023 3:58:16 > 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine > validateAttempting to establish trust of KeyInfo-derived credential 1월 05, > 2023 3:58:16 > 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine > validateFailed to establish trust of KeyInfo-derived credential 1월 05, 2023 > 3:58:16 > 오후 미세 org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine > validateFailed to verify signature and/or establish trust using any > KeyInfo-derived credentials 1월 05, 2023 3:58:16 > 오후 미세 > org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine > doValidateAttempting to verify signature using trusted credentials 1월 05, > 2023 3:58:16 > 오후 미세 > org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine > doValidateFailed to verify signature using either KeyInfo-derived or > directly trusted credentials > > > *[IDP_metadata.xml]* > <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID=" > dev.idp.com"> > > <IDPSSODescriptor WantAuthnRequestsSigned="false" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" > validUntil="2022-12-29T05:08:17.196Z"> > <KeyDescriptor use="signing"> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <X509Data> > <X509Certificate> Security </X509Certificate> > </X509Data> > </KeyInfo> > </KeyDescriptor> > > <ArtifactResolutionService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=" > https://dev.idp.com:443/samlartresolve"; index="1"/> > > <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" > Location=" > https://dev.idp.com:443/samlsso?tenantDomain=display.company > " ResponseLocation=" > https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> > > <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Location=" > https://dev.idp.com:443/samlsso?tenantDomain=display.company > " ResponseLocation=" > https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> > > <SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > https://dev.idp.com:443/samlsso?tenantDomain=display.company > " ResponseLocation=" > https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> > > <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Location=" > https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> > > <SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > https://dev.idp.com:443/samlsso?tenantDomain=display.company"/> > </IDPSSODescriptor> > </EntityDescriptor> > > > *[SP_metadata.xml]* > <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor > xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > ID="_41c554a5919e46f7a861e48142ce7828f6eb6b3" entityID=" > http://sp/securityRealm/finishLogin"; > validUntil="2043-01-05T06:58:16.644Z"> > <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/> > <alg:SigningMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> > <alg:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > <alg:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#sha384"/> > <alg:DigestMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#sha1"/> > </md:Extensions> > <md:SPSSODescriptor AuthnRequestsSigned="false" > WantAssertionsSigned="false" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol > urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> > <md:Extensions > xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"> > <init:RequestInitiator > Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location=" > http://sp/securityRealm/finishLogin"/> > </md:Extensions> > <md:KeyDescriptor use="signing"> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate>Security</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </md:KeyDescriptor> > <md:KeyDescriptor use="encryption"> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate>Security</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </md:KeyDescriptor> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > http://sp/securityRealm/finishLogin?logoutendpoint=true"/> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" > Location="http://sp/securityRealm/finishLogin?logoutendpoint=true"/> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > http://sp/securityRealm/finishLogin?logoutendpoint=true"/> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=" > http://sp/securityRealm/finishLogin?logoutendpoint=true"/> > > <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> > <md:AssertionConsumerService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > http://sp/securityRealm/finishLogin"; index="0"/> > </md:SPSSODescriptor> > </md:EntityDescriptor> > > > *[IDP→SP Response]* > <?xml version="1.0" encoding="UTF-8"?> > <saml2p:Response Destination="http://sp/securityRealm/finishLogin"; > ID="_35252c6bbb5c64698a8fe152098273bd" > InResponseTo="_b0ed88b36ddc44c5a4b9f9ddd08289dfd058745" > IssueInstant="2023-01-05T07:24:23.120Z" > Version="2.0" > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > dev.idp.com</saml2:Issuer> > <saml2p:Status> > <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" > /></saml2p:Status> > <saml2:Assertion ID="_4b558ed15d6584def6dadc8fb7c8be8c" > IssueInstant="2023-01-05T07:24:23.120Z" > Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xsd="http://www.w3.org/2001/XMLSchema";> > <saml2:Issuer > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">dev.idp.com > </saml2:Issuer> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> > <Reference URI="#_4b558ed15d6584def6dadc8fb7c8be8c"> > <Transforms> > <Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "> > <ec:InclusiveNamespaces PrefixList="xsd" > xmlns:ec=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > </Transform> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > /> > <DigestValue>gQ+c3WIINjjN9EnuVsQoBSfAK+o=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue> > > ~~~Security~~~ > > </SignatureValue> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate> > > ~~~Security~~~ > > </ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </Signature> > <saml2:Subject> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">MyName</saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml2:SubjectConfirmationData > InResponseTo="_b0ed88b36ddc44c5a4b9f9ddd08289dfd058745" > > NotOnOrAfter="2023-01-05T07:29:23.120Z" > Recipient=" > http://sp/securityRealm/finishLogin"; /></saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2023-01-05T07:24:23.120Z" > NotOnOrAfter="2023-01-05T07:29:23.120Z"> > <saml2:AudienceRestriction> > <saml2:Audience>http://sp/securityRealm/finishLogin > </saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > <saml2:AuthnStatement AuthnInstant="2023-01-05T04:25:58.646Z"> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > <saml2:AttributeStatement> > > ~~~~~ Attribute Block~~~~~~~ > > </saml2:AttributeStatement> > </saml2:Assertion> > </saml2p:Response> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ebbba566-6cfd-4ea4-ba2e-5ba949e6b617n%40googlegroups.com.
