GenerateSAMLAssertion is not working


I'm working in SAML generator and validate but when invoking the apigee endpoint getting this error in postman

{ "fault": { "faultstring": "GenerateSAMLAssertion[SAML]: Error transforming assertion into message.", "detail": { "errorcode": "steps.saml.generate.ErrorUpdatingPayload" } } }

please find the screenshot for the same

Any kind of help and suggestions will be appreciated.


0 6 223

I don't see the screenshot. But that's ok, I don't need to see it.

What would help is to see your GenerateSAMLAssertion policy configuration. Also, can you examine the "saml.error" context variable? What does it contain? That might give you a hint.

Without having any further information, I'm going to guess. "ErrorUpdatingPayload" could indicate that the policy can sign the SAML assertion, but cannot insert the signed assertion into the message at the XPath you supplied. That means you may have an incorrect XPath, or you may have incorrect namespaces. Can you show the content of the message into which you are inserting the signed assertion?

If you are using the Message output... maybe swap to using FlowVariable. That will simply insert the assertion into a flow variable and you can eliminate the xpath as a source of problems.

If that does not help you solve the problem, check the contents of the keystore and truststore. Do they contain the key and cert you think they contain? Use the Admin API to query it and show what you get out of those queries.

Thanks for your reply @Dino-at-Google

In saml.error I'm getting java.lang.NullPointerException

Saml generator code

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<GenerateSAMLAssertion name="SAML" ignoreContentType="false"> 
    <Message name="message"> 
        <Namespace prefix="Envelop"></Namespace> 
        <Namespace prefix="encodingStyle"></Namespace> 
        <Namespace prefix="Body"></Namespace> 
  <Subject>Subject name</Subject> 
  <Template ignoreUnresolvedVariables="false"> 
    <!-- A lot of XML goes here, in CDATA, with {} around each variable -->

Input message

    xmlns:SOAP-ENV = ""
    SOAP-ENV:encodingStyle = "">
      xmlns:m = ""> 
      <m:Quotation>Here is the quotation</m:Quotation> 

I apologize, the state of the documentation for this particular policy is currently not very good. Not only does it not explain the precedence of various configuration elements, the example configuration is broken and otherwise unhelpful or misleading.

I think you want to create a SAML assertion and inject it into a SOAP message. The GenerateSAMLAssertion policy can do that .

A configuration that I have, which works, is:

<GenerateSAMLAssertion name="SAML-2" ignoreContentType="false">

  <!-- set issuer and subject to hard-coded values -->

  <!-- specify the digest and signature methods for the assertion -->

  <!-- the key and cert for signing -->
    <Alias>key1</Alias> <!-- cert and key -->

  <!-- where to put the assertion -->
    <Message name="request">
        <Namespace prefix="soap"></Namespace>
        <Namespace prefix="wsse"></Namespace>

  <!-- the shape of the assertion to sign -->
  <Template ignoreUnresolvedVariables="false">
    <!-- the content of the assertion -->
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="{}" Version="2.0" IssueInstant="{saml.issueInstant}">
        <saml:NameID Format="{saml.subjectFormat}">{saml.subject}</saml:NameID>
      <saml:AuthnStatement AuthnInstant="{saml.authnInstant}" SessionIndex="{saml.authnSessionIndex}">

Some notes:

  • The reason why yours did not work is because you had problems with prefixes in your XPath as well as with namespaces.
  • the digest method can be sha1 or sha256
  • the signature method can be rsa-sha1 or rsa-sha256
  • The keystore obviously should have an RSA key and cert
  • Originally, I was not able to get the XPath to work with Namespaces, so I used wildcards in the XPath. Later I figured out the problem: the soap namespace you are using in the sample input message you provided, is non-standard. I copied that message directly, and used it for examples, and as a result my XPath was not matching. When I fixed the Soap namespace in the original document, it worked as expected.
  • The XPath MUST resolve to an existing element in the source XML document! The policy will insert the signed Assertion as a child of the configured location. Your sample did not include a wsse:Security element, which means using an XPath that specifies the Security element in the policy configuration would fail. To correct that, I injected an empty soap:Header and wsse:Security element. The resulting sample unsigned SOAP document is below.
  • The Template element specifies the shape of the SAML thing you want to sign. You have control over that. If you don't supply a Template then ... Apigee uses a default template for the Assertion which uses the Issuer, Subject, and AuthnStatement.

This sample unsigned SOAP message includes the required empty wsse:Security element, as well as a correct SOAP 1.1 namespace:

    xmlns:SOAP-ENV = ""
      xmlns:m = "">
      <m:Quotation>Here is the quotation</m:Quotation>


Thanks for your reply. If you can please provide me a working Soap message with its proper Xpath and Namespaces.

I provided that in the answer that you are commenting on. I provided the policy configuration and the SOAP message I sent in. The resulting message with the signed SAML Assertion inserted into it, is like this:

          xmlns:xsi="" ID="_432c47cd3165e7ccf007e89901b189c9" IssueInstant="2021-02-09T00:29:12.954Z" Version="2.0">
            <ds:CanonicalizationMethod Algorithm=""/>
            <ds:SignatureMethod Algorithm=""/>
            <ds:Reference URI="#_432c47cd3165e7ccf007e89901b189c9">
                <ds:Transform Algorithm=""/>
                <ds:Transform Algorithm=""/>
              <ds:DigestMethod Algorithm=""/>
	  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dinochiesa</saml:NameID>
        <saml:AuthnStatement AuthnInstant="2021-02-09T00:29:12.954Z" SessionIndex="NoSessionIndex">
      <m:Quotation>Here is the quotation</m:Quotation>    