Does not work with samltest.id

[casimcdaniels]

Setup from the example in README but used samltest.id instead of Okta for the IDP. Get the following message on samltest.id after the redirect to IDP:

Web Login Service - Message Security Error

The request cannot be fulfilled because the message received does not meet the security requirements of the login service...

In the error logs, I see some messages about invalid / unsupported envelope transforms:

2020-11-08 04:32:09,953 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:?] - Message Handler:  Selecting default AttributeConsumingService, if any
2020-11-08 04:32:09,953 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:?] - Message Handler:  No AttributeConsumingService selected
2020-11-08 04:32:09,954 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:?] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer boogie-woogie
2020-11-08 04:32:09,954 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:?] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2020-11-08 04:32:09,955 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler:  Checking SAML message intended destination endpoint against receiver endpoint
2020-11-08 04:32:09,955 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler:  Intended message destination endpoint: https://samltest.id/idp/profile/SAML2/Redirect/SSO
2020-11-08 04:32:09,955 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler:  Actual message receiver endpoint: https://samltest.id/idp/profile/SAML2/Redirect/SSO
2020-11-08 04:32:09,955 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler:  SAML message intended destination endpoint matched recipient endpoint
2020-11-08 04:32:09,955 - DEBUG [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler:?] - Message Handler:  Evaluating message replay for message ID '_14c6baf5-d444-46af-96e6-53d288164010', issue instant '2020-11-08T04:32:09.000Z', entityID 'boogie-woogie'
2020-11-08 04:32:09,955 - DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator:?] - Saw Enveloped signature transform
2020-11-08 04:32:09,955 - ERROR [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator:?] - Saw invalid signature transform: http://www.w3.org/2006/12/xml-c14n11
2020-11-08 04:32:09,956 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:?] - Message Handler:  Protocol message signature failed signature pre-validation
org.opensaml.xmlsec.signature.support.SignatureException: Signature contained an invalid transform
	at org.opensaml.saml.security.impl.SAMLSignatureProfileValidator.validateTransforms(SAMLSignatureProfileValidator.java:243)
2020-11-08 04:32:09,956 - WARN [org.opensaml.profile.action.impl.LogEvent:?] - A non-proceed event occurred while processing the request: MessageAuthenticationError
2020-11-08 04:32:09,956 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:?] - No SAMLBindingContext or binding URI available, error must be handled locally

Not my area of expertise, so need some guidance here on what's going on.

[somogyibence]

@casimcdaniels as far as I can tell, the IdP only supports exclusive XML canonicalization. Try providing c14N10ExclusiveCanonicalizer for the SAMLServiceProvider.