How to fix error status 400 message Fail to verify response on SAML?

Affected version: 4.5.1 to 4.7.5

 

Fixed version: 4.7.6 and above

 

Resolution: Upgrade Artifactory 4.7.6 or above

 

Issue:

When you login to Artifactory using SAML, you may see the following error after entering the credential and logs in:

 

{

  "errors" : [ {

    "status" : 400,

    "message" : "{"error":"Fail to verify response"}"

  } ]

}

 

And in artifactory log, you may see the following

 

2016-05-10 16:05:01,702 [http-nio-8081-exec-4] [WARN ] (o.a.x.s.s.XMLSignature:-1) - Signature verification failed.

2016-05-10 16:05:01,708 [http-nio-8081-exec-4] [ERROR] (o.a.u.r.s.a.s.s.GetSamlLoginResponseService:29) - Fail to verify response

org.artifactory.addon.sso.saml.SamlException: Fail to verify response

 at org.artifactory.addon.sso.saml.SamlUtils.verifySamlLoginResponse(SamlUtils.java:396) ~[artifactory-addon-sso-4.5.1.jar:na]

 at org.artifactory.addon.sso.saml.SamlHandlerImpl.verifySignature(SamlHandlerImpl.java:211) ~[artifactory-addon-sso-4.5.1.jar:na]

 at org.artifactory.addon.sso.saml.SamlHandlerImpl.handleLoginResponse(SamlHandlerImpl.java:85) ~[artifactory-addon-sso-4.5.1.jar:na]

 at org.artifactory.ui.rest.service.admin.security.saml.GetSamlLoginResponseService.execute(GetSamlLoginResponseService.java:27) ~[artifactory-rest-ui-4.5.1.jar:na]

 at org.artifactory.rest.common.service.ServiceExecutor.process(ServiceExecutor.java:18) [artifactory-rest-common-4.5.1.jar:na]

 at org.artifactory.rest.common.resource.BaseResource.runService(BaseResource.java:107) [artifactory-rest-common-4.5.1.jar:na]

 at org.artifactory.ui.rest.resource.admin.security.saml.SamLoginLogoutResource.loginResponse(SamLoginLogoutResource.java:40) [artifactory-rest-ui-4.5.1.jar:na]

 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_71]

 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_71]

 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_71]

 at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_71]

 at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) [jersey-server-1.19.jar:1.19]

 at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409) [jersey-servlet-1.19.jar:1.19]

 at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558) [jersey-servlet-1.19.jar:1.19]

 at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733) [jersey-servlet-1.19.jar:1.19]

 at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) [servlet-api.jar:na]

 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]

 at org.artifactory.webapp.servlet.RepoFilter.execute(RepoFilter.java:198) [artifactory-web-application-4.5.1.jar:na]

 at org.artifactory.webapp.servlet.RepoFilter.doFilter(RepoFilter.java:89) [artifactory-web-application-4.5.1.jar:na]

 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]

 at org.artifactory.webapp.servlet.AccessFilter.useAuthentication(AccessFilter.java:334) [artifactory-web-application-4.5.1.jar:na]

 at org.artifactory.webapp.servlet.AccessFilter.useAnonymousIfPossible(AccessFilter.java:309) [artifactory-web-application-4.5.1.jar:na]

 at org.artifactory.webapp.servlet.AccessFilter.doFilterInternal(AccessFilter.java:192) [artifactory-web-application-4.5.1.jar:na]

 at org.artifactory.webapp.servlet.AccessFilter.doFilter(AccessFilter.java:156) [artifactory-web-application-4.5.1.jar:na]

 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]

 at org.artifactory.webapp.servlet.RequestFilter.doFilter(RequestFilter.java:65) [artifactory-web-application-4.5.1.jar:na]

 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]

 at org.artifactory.webapp.servlet.ArtifactoryFilter.doFilter(ArtifactoryFilter.java:109) [artifactory-web-application-4.5.1.jar:na]

 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:721) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:466) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:391) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:318) [catalina.jar:8.0.22]

 at org.artifactory.webapp.servlet.redirection.SamlRedirectionHandler.redirect(SamlRedirectionHandler.java:36) [artifactory-web-application-4.5.1.jar:na]

 at org.artifactory.webapp.servlet.ArtifactoryFilter.doFilter(ArtifactoryFilter.java:65) [artifactory-web-application-4.5.1.jar:na]

 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]

 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]

 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:8.0.22]

 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [catalina.jar:8.0.22]

 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) [catalina.jar:8.0.22]

 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.0.22]

 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [catalina.jar:8.0.22]

 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) [catalina.jar:8.0.22]

 at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) [tomcat-coyote.jar:8.0.22]

 at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) [tomcat-coyote.jar:8.0.22]

 at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521) [tomcat-coyote.jar:8.0.22]

 at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478) [tomcat-coyote.jar:8.0.22]

 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_71]

 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_71]

 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.22]

 at java.lang.Thread.run(Thread.java:745) [na:1.8.0_71]

Caused by: org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

 at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) ~[xmltooling-1.3.2.jar:na]

 at org.artifactory.addon.sso.saml.SamlUtils.verifySamlLoginResponse(SamlUtils.java:394) ~[artifactory-addon-sso-4.5.1.jar:na]

 ... 66 common frames omitted