ComponentSpace

Forums



Implemting a Service Provider. ReceiveSSO gives the error: The SAML response isn't signed


Implemting a Service Provider. ReceiveSSO gives the error: The SAML...

Author
Message
DannyStaten
DannyStaten
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 7, Visits: 18
So long as I have my SAML.config information for PartnerIdentityProvider to indicate that I don't want the response to be signed, I have been able to get up and running with my organization's identity provider just fine.  Using SSOTracer in firefox, I can see that the response does indeed have a certificate, and I have verified that the certificate contents match the contents that I have in the root of my MVC application (idp.cer).  From everything I can see, I should have a matching certificate to the one coming from my identity provider, but ReceiveSSO fails if I set the config to require a signed response.

Here is the SAML that I am receiving from the Identity provider (sanitized to remove any sensitive data)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      ID="s219873d3091bb908ee2178472917286104d932e27"
      InResponseTo="_371fa8d0-ce88-494e-b0ee-e25318b61c38"
      Version="2.0"
      IssueInstant="2015-01-15T22:28:12Z"
      Destination="http://localhost:8000/Auth/Receive"
      >
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">--removed--</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      Value="urn:oasis:names:tc:SAML:2.0:status:Success"
      />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      ID="s29947f21667d2aac359ee7e8ab2a3173299ce175f"
      IssueInstant="2015-01-15T22:28:12Z"
      Version="2.0"
      >
<saml:Issuer>gotTheNameRight</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#s29947f21667d2aac359ee7e8ab2a3173299ce175f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>zgATTUCLT1EHftyOUZwzZhEZw3k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
--Removed--
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
Removed but I actually direct coppied the real value and pasted it into the idp.cer file in between the begin and end comment dealios in that actual file.
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
     NameQualifier="gotTheNameRight"
     >3445376629984011</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_371fa8d0-ce88-494e-b0ee-e25318b61c38"
          NotOnOrAfter="2015-01-15T22:38:12Z"
          Recipient="http://localhost:8000/Auth/Receive"
          />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-01-15T22:18:12Z"
      NotOnOrAfter="2015-01-15T22:38:12Z"
      >
<saml:AudienceRestriction>
<saml:Audience>teacherapp-localdev</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2015-01-15T22:27:17Z"
       SessionIndex="s22f1b0a2660c5d0cf571740a4b5fe50f232857c04"
       >
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="policy-givenname">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >Daniel</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="policy-sn">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >Staten</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="policy-workforceid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >--removed--</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="policy-cn">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >dannystaten</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="policy-ldsaccountid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >--removed--</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>


Here is the saml config for our identity provider
<PartnerIdentityProvider Name="gotTheNameRight"
         SignAuthnRequest="false"
         WantSAMLResponseSigned="true"
         WantAssertionSigned="false"
         WantAssertionEncrypted="false"
         SingleSignOnServiceUrl="https://urldoeswork"
         SingleLogoutServiceUrl="https://differenturl"
         PartnerCertificateFile="idp.cer"/>

As I said, the SAML sign on experience works flawlessly until I tell my code that receives to require the signature on the response.  From everything I can see the signature is in the response, and I am configured correctly to accept the signature that has been returned.  Is there something about the signature value that I need to match in my configuration?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
Signature verification fails because either the XML has been modified after signing or the wrong certificate is used.
As an experiment, in your <PartnerIdentityProvider>, remove the PartnerCertificate attribute and instead specify UseEmbeddedCertificate="true".

<PartnerIdentityProvider Name="gotTheNameRight"
         SignAuthnRequest="false"
         WantSAMLResponseSigned="true"
         WantAssertionSigned="false"
         WantAssertionEncrypted="false"
         SingleSignOnServiceUrl="https://urldoeswork"
         SingleLogoutServiceUrl="https://differenturl"
         UseEmbeddedCertificate="true"/>

This specifies to use the certificate embedded in the XML signature rather than a separate certificate file.
If this works then it means the idp.cer file is incorrect.
If this doesn't work, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com. Also, include the idp.cer file but rename it to idp.txt.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace



Regards
ComponentSpace Development
DannyStaten
DannyStaten
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 7, Visits: 18
I just emailed support a log file.  The problem is happening regardless of if I use the file or set it to use the embedded certificate.
Thanks,

Danny
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
Thanks for sending the log. I extracted the SAML response and ran our VerifySAML utility to check the XML signature.

VerifySAML.exe samlresponse.xml
Loading samlresponse.xml
Verifying SAML message
The SAML message isn't signed
Verifying SAML assertion
Verified: True

The SAML response isn't signed. Rather, the SAML assertion is signed instead.
In your configuration you should set WantSAMLResponseSigned to false and WantAssertionSigned to true.

<PartnerIdentityProvider Name="gotTheNameRight"
         SignAuthnRequest="false"
         WantSAMLResponseSigned="false"
         WantAssertionSigned="true"
         WantAssertionEncrypted="false"
         SingleSignOnServiceUrl="https://urldoeswork"
         SingleLogoutServiceUrl="https://differenturl"
         PartnerCertificateFile="idp.cer"/>


Regards
ComponentSpace Development
DannyStaten
DannyStaten
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 7, Visits: 18
Thanks so much!  That did it.
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









ComponentSpace Forums


Search