we are facing an issue during the SAML validation. Getting the following error : {"fault":{"faultstring":"ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation","detail":{"errorcode":"steps.saml.ERROR_VALIDATING_SIGNATURE"}}} In serve log, we get the following error ./var/log/apigee/message-processor/logs/system.log <== 2015-07-08 18:36:00,558 org:dcpp1com env:dev api:apisamlvalidateandtoken-1 rev:5 policy:Validate-SAML-Assertion-1 NIOThread@0 ERROR ValidateSAMLAssertion - ValidateSAMLAssertionExecution.verify() : Error validating signature javax.xml.crypto.dsig.XMLSignatureException: cannot find validation key at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:538) ~[na:1.7.0_72] at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:253) ~[na:1.7.0_72] at com.apigee.steps.saml.validate.ValidateSAMLAssertionExecution.verify(ValidateSAMLAssertionExecution.java:230) [saml-1.0.0.jar:na] at com.apigee.steps.saml.validate.ValidateSAMLAssertionExecution.verifyAssertion(ValidateSAMLAssertionExecution.java:133) [saml-1.0.0.jar:na] at com.apigee.steps.saml.validate.ValidateSAMLAssertionExecution.execute(ValidateSAMLAssertionExecution.java:96) [saml-1.0.0.jar:na] at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:136) [message-processor-1.0.0.jar:na] at com.apigee.flow.execution.SyncExecutionStrategy.execute(SyncExecutionStrategy.java:50) [message-flow-1.0.0.jar:na] at com.apigee.flow.MessageFlowImpl.execute(MessageFlowImpl.java:289) [message-flow-1.0.0.jar:na] at com.apigee.flow.MessageFlowImpl.resume(MessageFlowImpl.java:174) [message-flow-1.0.0.jar:na] at com.apigee.flow.execution.ExecutionContextImpl$1.run(ExecutionContextImpl.java:93) [message-flow-1.0.0.jar:na] at com.apigee.nio.NIOSelector.runTasks(NIOSelector.java:317) [nio-1.0.0.jar:na] at com.apigee.nio.NIOSelector.access$000(NIOSelector.java:29) [nio-1.0.0.jar:na] at com.apigee.nio.NIOSelector$2.findNext(NIOSelector.java:265) [nio-1.0.0.jar:na] at com.apigee.nio.NIOSelector$2.findNext(NIOSelector.java:256) [nio-1.0.0.jar:na] at com.apigee.nio.util.NonNullIterator.computeNext(NonNullIterator.java:16) [nio-1.0.0.jar:na] at com.apigee.nio.util.AbstractIterator.hasNext(AbstractIterator.java:36) [nio-1.0.0.jar:na] at com.apigee.nio.handlers.NIOThread.run(NIOThread.java:59) [nio-1.0.0.jar:na] Caused by: javax.xml.crypto.KeySelectorException: No KeyValue element found! at com.apigee.steps.saml.validate.ValidateSAMLAssertionExecution$KeyValueKeySelector.select(ValidateSAMLAssertionExecution.java:303) ~[saml-1.0.0.jar:na] at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:530) ~[na:1.7.0_72] ... 16 common frames omitted We think that the problem is the tag <ds:keyValue> missing in our Assertion SAML request. it is correct? Our identity server don't provide it. if yes, this tag is mandatory in a Assertion SAML standard? In attached the assetion SAML sample generated. Thanks a lot.

I have just run into this issue as well. I suspect that there is a bug in the SAML validation process, and there is an unexpected and rather poorly documented configuration requirement.

In quick summary, a SAML document will contain a signature and an optional X509 certificate containing the public key that can be used to validate the signature.

First, the configuration issue:

The trust store must contain ALL certificates in the chain all the way to the CA or self signed root certificate needed to validate the certificate contained in the SAML document. Most Certificate Authorities have one root and one or more intermediate certificates, which are used to perform certificate signing. You MUST have ALL the certificates in the chain in the trust store, just the intermediate certificates are not sufficient.

Apigee's documentation implies that the certificates must be loaded in PEM format (even though the management API will take a DER format certificate). I have not tested if this is a true requirement, instead opting to load everything in PEM format. Note that if you put more than one certificate in the PEM file, they must be in the correct order. I did not do this, instead loading each certificate separately to avoid any potential ordering issues.

The bug:

The SAML validation policy apparently ignores embedded X509 certificates. You have to manually extract whatever certificates are in use and also include them in the trust store. This is a bit of a problem as the SAML provider could change this certificate at any time, which means that until you manually extract the embedded certificate and place it in the trust store, your SAML validations will fail once a certificate changes.

This issue actually points to a bigger issue about Apigee's certificate handling overall. Chain validation is entirely static and depends on manual configuration of the trust store with all needed CA certificates. There is no ability to check CRLs or OCSP during validation to determine if a certificate has been revoked. Nor does Apigee provide a standard CA trust store for general use, by comparison every computer and server's OS contains a standard trust store containing current CA certificates that is managed and updated by the vendor, and all support dynamic validation of certificate chains via CRL or other mechanisms.