问题:

I have integrated SAML 2.0 in my system and I’m using like IDP the file http://idp.ssocircle.com/idp-meta.xml. Last week my application worked fine, but since yesterday (5th December 2016) I have an error without doing any modifications in my configuration file.

The error is:  2016-12-06 10:00:07 ERROR: PKIX path construction failed for untrusted credential: [subjectName='CN=idp.ssocircle.com' |credential entityID='https://idp.ssocircle.com']: unable to find valid certification path to requested target 2016-12-06 10:00:07 INFO : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null 2016-12-06 10:00:07 INFO : Retrying request

My metada bean is :

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> <constructor-arg>     <list>         <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">             <constructor-arg>                 <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>             </constructor-arg>             <constructor-arg>                 <value type="int">5000</value>             </constructor-arg>             <property name="parserPool" ref="parserPool"/>         </bean>         <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">             <constructor-arg>                 <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">                     <constructor-arg>                              <value type="java.io.File">WEB-INF/saml/sp_sg.xml</value>                        </constructor-arg>                     <property name="parserPool" ref="parserPool"/>                 </bean>             </constructor-arg>             <constructor-arg>                 <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">                     <property name="local" value="true"/>                     <property name="securityProfile" value="metaiop"/>                     <property name="sslSecurityProfile" value="pkix"/>                     <property name="signMetadata" value="true"/>                     <property name="signingKey" value="apollo"/>                     <property name="encryptionKey" value="apollo"/>                     <property name="requireArtifactResolveSigned" value="false"/>                     <property name="requireLogoutRequestSigned" value="false"/>                     <property name="requireLogoutResponseSigned" value="false"/>                     <property name="idpDiscoveryEnabled" value="false"/>                     <property name="idpDiscoveryURL" value="http://localhost:8080/portal_report_sg/saml/discovery"/>                     <property name="idpDiscoveryResponseURL" value="http://localhost:8080/portal_report_sg/saml/login?disco=true"/>                 </bean>             </constructor-arg>          </bean>     </list> </constructor-arg>     <property name="hostedSPName" value="http://88.161.49.14/sg1"/>

Thanks for your help.

回答1:

The root CA certificate used on SSOCircle has changed yesterday. This probably manifests during artifact resolution, when Spring SAML needs to make a call over HTTPS.

Download the certificate from the certification authority's website, store it in file (e.g. ca.cer in PEM format) and import to Spring SAML's keystore with:

 keytool -importcert -alias identtrustca -file ca.cer -keystore samlKeystore.jks

Certificate example:

Spring SAML doesn't use trusted CAs from Java's default keystore in order to keep better control over which certification authorities are trusted.

转载请标明出处:SAML ERROR: PKIX path construction failed for untrusted credential

文章来源: SAML ERROR: PKIX path construction failed for untrusted credential

标签

saml

bean