SAML ERROR: PKIX path construction failed for untrusted credential

问题

I have integrated SAML 2.0 in my system and I’m using like IDP the file http://idp.ssocircle.com/idp-meta.xml. Last week my application worked fine, but since yesterday (5th December 2016) I have an error without doing any modifications in my configuration file.

The error is: 
2016-12-06 10:00:07 ERROR: PKIX path construction failed for untrusted credential: [subjectName='CN=idp.ssocircle.com' |credential entityID='https://idp.ssocircle.com']: unable to find valid certification path to requested target
2016-12-06 10:00:07 INFO : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null
2016-12-06 10:00:07 INFO : Retrying request

My metada bean is :

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
    <list>
        <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
            <constructor-arg>
                <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
            </constructor-arg>
            <constructor-arg>
                <value type="int">5000</value>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
        </bean>
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
            <constructor-arg>
                <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                    <constructor-arg>
                             <value type="java.io.File">WEB-INF/saml/sp_sg.xml</value>
                       </constructor-arg>
                    <property name="parserPool" ref="parserPool"/>
                </bean>
            </constructor-arg>
            <constructor-arg>
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    <property name="local" value="true"/>
                    <property name="securityProfile" value="metaiop"/>
                    <property name="sslSecurityProfile" value="pkix"/>
                    <property name="signMetadata" value="true"/>
                    <property name="signingKey" value="apollo"/>
                    <property name="encryptionKey" value="apollo"/>
                    <property name="requireArtifactResolveSigned" value="false"/>
                    <property name="requireLogoutRequestSigned" value="false"/>
                    <property name="requireLogoutResponseSigned" value="false"/>
                    <property name="idpDiscoveryEnabled" value="false"/>
                    <property name="idpDiscoveryURL" value="http://localhost:8080/portal_report_sg/saml/discovery"/>
                    <property name="idpDiscoveryResponseURL" value="http://localhost:8080/portal_report_sg/saml/login?disco=true"/>
                </bean>
            </constructor-arg>
         </bean>
    </list>
</constructor-arg>
    <property name="hostedSPName" value="http://88.161.49.14/sg1"/>

Thanks for your help.

回答1:

The root CA certificate used on SSOCircle has changed yesterday. This probably manifests during artifact resolution, when Spring SAML needs to make a call over HTTPS.

Download the certificate from the certification authority's website, store it in file (e.g. ca.cer in PEM format) and import to Spring SAML's keystore with:

 keytool -importcert -alias identtrustca -file ca.cer -keystore samlKeystore.jks

Certificate example:

Spring SAML doesn't use trusted CAs from Java's default keystore in order to keep better control over which certification authorities are trusted.

来源：https://stackoverflow.com/questions/40991685/saml-error-pkix-path-construction-failed-for-untrusted-credential

标签

spring-saml