Adobe Experience Manager Sites & More

priyankag705219 · 3/14/18

We have setup the SAML authentication handler in our AEM instance. We have followed the following link:

We are getting the login screen of IDP and after login, i am getting redirected to http://<server>/libs/granite/core/content/login.error.html?j_reason=invalid_token

following is the error which is coming in the log:

14.03.2018 03:01:59.223 *ERROR* [qtp-1211009574-2288] com.adobe.granite.auth.saml.util.SamlReader Failed validating signature.

javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException: No installed provider supports this key: com.rsa.cryptoj.o.eg

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565)

at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)

at com.adobe.granite.auth.saml.util.SamlReader.verifySignatures(SamlReader.java:317)

at com.adobe.granite.auth.saml.util.SamlReader.parse(SamlReader.java:236)

at com.adobe.granite.auth.saml.util.SamlReader.read(SamlReader.java:119)

at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:108)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:759)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:457)

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:76)

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:732)

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:480)

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460)

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:131)

at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:81)

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:128)

at org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

at org

Let me know if i need to install any jar under java/jre/lib/security to make the authentication sucessful

Peter_Puzanovs · 3/16/18

Hi,

There are no issues here with Adobe code,

Problem seems to be with Java JDK system.

You should be able to reproduce this issue solely on JVM with your certificates(keys) without Adobe code.

Depending on the JVM you use you might need to add additional extensions to handle: com.rsa.cryptoj.o.eg

Regards,

Peter

View solution in original post

kautuk_sahni · 3/15/18

Veena_07 Any help here?

Kautuk Sahni

smacdonald2008 · 3/15/18

See our new end to end SAML Article that shows a real world example -- Integrating SAML with Adobe Experience Manager

ngupta45 · 3/15/18

The IdP certificate is not a valid one as the SAML Auth Handler is trying to validate the SAML Response against the certificate added into the AEM trust store.

Please correct the certificate and you should not see this issue.

same can be seen the API as well

private boolean verifySignatures(Element parentElement, Element signedElement, Key publicKey)

{

if (publicKey != null)

{

NodeList signatureNodes = signedElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

if (signatureNodes.getLength() == 0)

{

this.log.warn("Received SAML message without signature element.");

return false;

}

for (int j = 0; j < signatureNodes.getLength(); j++) {

try

{

DOMValidateContext valContext = new DOMValidateContext(publicKey, signatureNodes.item(j));

valContext.setIdAttributeNS(signedElement, null, "ID");

valContext.setIdAttributeNS(parentElement, null, "ID");

String providerName = System.getProperty("jsr105Provider", "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");

XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM", (Provider)Class.forName(providerName).newInstance());

XMLSignature signature = sigFactory.unmarshalXMLSignature(valContext);

if (!signature.validate(valContext)) {

return false;

}

catch (MarshalException e)

{

this.log.error("Could not unmarshal XML signature.", e);

return false;

}

catch (XMLSignatureException e)

{

this.log.error("Failed validating signature.", e);

return false;

}

catch (ClassNotFoundException e)

{

this.log.error("Failed obtaining the signature provider: ", e);

return false;

}

catch (InstantiationException e)

{

this.log.error("Failed obtaining the signature provider: ", e);

return false;

}

catch (IllegalAccessException e)

{

this.log.error("Failed obtaining the signature provider: ", e);

return false;

}

else

{

this.log.warn("Could not verify signatures. Public key of IdP not provided.");

return false;

}

return true;

}

As you can see it is trying to validate against IdP certificate which is causing the error.

priyankag705219 · 3/15/18

what i understand is error is while validating the signature only. for me it seems to be some JDK related issue. I have cross checked the certifcate and it is correct only.

14.03.2018 03:01:59.223 *ERROR* [qtp-1211009574-2288] com.adobe.granite.auth.saml.util.SamlReader Failed validating signature.
javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException: No installed provider supports this key: com.rsa.cryptoj.o.eg
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565)

ngupta45 · 3/15/18

I do not believe this is a jar issue. I think the encryption used by the IdP is different from the one provided to you.

https://examples.javacodegeeks.com/core-java/security/invalidkeyexception/java-security-invalidkeyex...

Again this is also a hunch as I am not exactly sure why this is happening.

priyankag705219 · 3/16/18

I tried updating local_policy.jar and US_export_policy.jar jars also but no luck. I am still getting the same exception.

VeenaVikraman · 3/16/18

No kautuksahni I have not worked with SAML . I am sorry for not being much help here

Peter_Puzanovs · 3/16/18

Hi,

There are no issues here with Adobe code,

Problem seems to be with Java JDK system.

You should be able to reproduce this issue solely on JVM with your certificates(keys) without Adobe code.

Depending on the JVM you use you might need to add additional extensions to handle: com.rsa.cryptoj.o.eg

Regards,

Peter

smacdonald2008 · 3/16/18

There is a lot of useful information here. Can you please close off this thread.

ngupta45 · 3/16/18

again, this would be the issue with the encryption used by the IdP to sign the assertion. I would recommend, you ask the IdP about which encryption they are using.