• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

SAML Problem Calculating Signature of the SAMLRequest

New Here ,
Sep 24, 2024 Sep 24, 2024

Copy link to clipboard

Copied

Hello, has anyone run into this issue when implementing SAML for SSO or otherwise in your coldfusion application:

There was a problem when calculating the Signature of the SAMLRequest

 

I have tried every possible configuration of the IDP and SP, which looks like the following, however im pretty sure this has to do with the idp signcertificate, which is copy and pasted in X509Certificate format from the idp xml metadata. I've also tried a few different configurations of pasting the idp signcertificate including manually encoding it in base64.

 

this.security.samlsettings.idp = [{
	name: '<idpname>', 
	entityId: 'https://<idp_url>/saml2/idp',
	ssoURL: "https://<idp_url>/idp/SSO.saml2",
	sloURL: "https://<idp_url>/idp/SLO.ssaml2",
	signMessage: true, 
	signrequests: true
	signcertificate: 'thecert'  
}];
this.security.samlsettings.sp = [{
	name: '<spname>', 
	entityId: 'http://<my_application>/admin/index.cfm/main', 
	acsURL: 'https://<my_application>/admin/acs.cfm', 
	sloURL: 'https://<my_application>/admin/main/logout', 
	acsbinding: 'POST', 
	slobinding: 'POST', 
	wantassertionssigned: true, 
	logoutresponsesigned: true,
	signrequests: true,
	signkeystorepath: '/<file_path>/sso.keystore', 
	signkeystorepassword: '<passwd>', 
	signkeystorealias: 'SSODev', 
	requeststore: 'Cache'
}];

 

Im also including the stactrace below. Any insight would be very helpful!

 

java.lang.IllegalArgumentException: There was a problem when calculating the Signature of the SAMLRequest at coldfusion.saml.SamlAuth.buildSignature(SamlAuth.java:1022) at coldfusion.saml.SamlAuth.buildRequestSignature(SamlAuth.java:950) at coldfusion.saml.SamlAuth.login(SamlAuth.java:262) at coldfusion.saml.SamlAuth.login(SamlAuth.java:295) at coldfusion.saml.SamlAuth.login(SamlAuth.java:319) at coldfusion.saml.SamlRequestBuilder.initAuthRequest(SamlRequestBuilder.java:164) at coldfusion.saml.SAMLServiceImpl.InitSAMLAuthRequest(SAMLServiceImpl.java:513) at coldfusion.runtime.CFPage.InitSAMLAuthRequest(CFPage.java:17413) at cfApplication2ecfc1861989389$funcONSESSIONSTART.runFunction(/virtual/linode.com/www/htdocs/Application.cfc:563) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:623) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:553) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:516) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:463) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:438) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:310) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:975) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:696) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:503) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:115) at coldfusion.runtime.AppEventInvoker.onSessionStart(AppEventInvoker.java:465) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:512) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:162) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:97) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:81) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:231) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter(MobileDeviceDomInspectionFilter.java:57) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:450) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834)

 

Views

262

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

New Here , Sep 24, 2024 Sep 24, 2024

Hi Pete, thanks for the quick reply! Your comment had me rethinking the way I generated my SP cert and it did end up being an issue with the way I generated my SP keystore. Coldfusion or java had issues decrypting the keystore sso.keystore that I generate with keytool. I solved this issue by generating my keystore with the PKCS12 store type, using the following command:

keytool -genkey -alias <myalias> -keystore /<file_path>/sso.p12 -storetype PKCS12 -keyalg RSA -storepass <passwd> -validity 9999
...

Votes

Translate

Translate
Enthusiast ,
Sep 24, 2024 Sep 24, 2024

Copy link to clipboard

Copied

Not sure if this would cause the problem, but you are missing the comma after signrequests and before signcertificate in your IDP config. 

 

My next guess would be that the actual signcertificate is not in the correct format. There are different ways to encode the certificate PEM, DER, etc. I think you want to just take a PEM cert, and then remove the BEGIN CERTIFICATE / END CERTIFICATE parts and put everything on one line. 

 

Pete / Foundeo Inc.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 24, 2024 Sep 24, 2024

Copy link to clipboard

Copied

Hi Pete, thanks for the quick reply! Your comment had me rethinking the way I generated my SP cert and it did end up being an issue with the way I generated my SP keystore. Coldfusion or java had issues decrypting the keystore sso.keystore that I generate with keytool. I solved this issue by generating my keystore with the PKCS12 store type, using the following command:

keytool -genkey -alias <myalias> -keystore /<file_path>/sso.p12 -storetype PKCS12 -keyalg RSA -storepass <passwd> -validity 9999 -keysize 2048

I then exported the keystore into a .pem file with the following command and provided it to my IDP:

keytool -export -alias <myalias> -keystore /<file_path>/sso.p12 -rfc -file /<file_path>/sso.pem

 

Hopefully this is able to assist someone else.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 26, 2024 Sep 26, 2024

Copy link to clipboard

Copied

LATEST

Yeah, I bet it will help someone else too, thanks for sharing what the problem was.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation