25,130 questions
Migrate auth idP from ADFS to Microsoft Entra ID, using SAML2 protocol
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 70%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERF%3C/text%3E%3C/svg%3E)
Rafael Felipe de Oliveira
0
Reputation points
I need to migrate my Java Web application (Spring Security) authentication idP, from ADFS to Microsoft Entra ID (Azure ID), using SAML2 protocol. For now, I only find a few examples using OAuth method, but to avoid major changes, I want to stay using SAML2.0. At this moment, I was able to connect my application to Microsoft Entra ID, logon and get the "approved" token. But when my application receives the SAML message, I get the following error message: Error validating SAML message: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message Someone can help me with this issue? Below, the LOG from the app server:
2024-02-27 15:59:28,979 ERROR [org.opensaml.xml.encryption.Decrypter] (default task-63) Error decrypting encrypted key: org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed
Original Exception was java.security.InvalidKeyException: Unwrapping failed
Caused by: java.security.InvalidKeyException: Unwrapping failed
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:465) [sunjce_provider.jar:1.8.0_372]
at javax.crypto.Cipher.unwrap(Cipher.java:2553) [jce.jar:1.8.0_372]
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477) [xmlsec-1.5.6.jar:1.5.6]
... 66 more
Caused by: javax.crypto.BadPaddingException: Message is larger than modulus
at sun.security.rsa.RSACore.parseMsg(RSACore.java:214) [rt.jar:1.8.0_372]
at sun.security.rsa.RSACore.crtCrypt(RSACore.java:166) [rt.jar:1.8.0_372]
at sun.security.rsa.RSACore.rsa(RSACore.java:122) [rt.jar:1.8.0_372]
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:369) [sunjce_provider.jar:1.8.0_372]
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:460) [sunjce_provider.jar:1.8.0_372]
... 68 more
2024-02-27 15:59:28,985 ERROR [org.opensaml.xml.encryption.Decrypter] (default task-63) Failed to decrypt EncryptedKey, valid decryption key could not be resolved
2024-02-27 15:59:28,985 ERROR [org.opensaml.xml.encryption.Decrypter] (default task-63) Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
2024-02-27 15:59:28,985 ERROR [org.opensaml.saml2.encryption.Decrypter] (default task-63) SAML Decrypter encountered an error decrypting element content: org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
2024-02-27 15:59:28,997 ERROR [br.com.tan.adfs.bean.AcessoNegadoAdfsBean] (default task-63) Error validating SAML message: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
Caused by: org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator2024-03-01T06:33:40.3+00:00 @Rafael Felipe de Oliveira Thank you for reaching out to us, this issue might need further troubleshooting, please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" along with your Azure subscription id and we will help you with support options on this.
Sign in to comment
Sign in to answer