ComponentSpace

Forums



Neither the SAML assertion nor response is signed


Neither the SAML assertion nor response is signed

Author
Message
Jorge Garcia Huertos
Jorge Garcia Huertos
New Member
New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)

Group: Forum Members
Posts: 17, Visits: 74
Hello, 

I am working in a SP-initiated project and we are the SP part. The IdP part want to send us a SAMLResponse with out signature.

1. Is it possible to receive a SAMLResponse no signed? If so, how could I configure it?

I am attaching some screenshots about the exception and the saml.config.





Thanks,
Jorge

JorgeGHS
Jorge Garcia Huertos
Jorge Garcia Huertos
New Member
New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)New Member (32 reputation)

Group: Forum Members
Posts: 17, Visits: 74
jgarcia - 8/16/2019
Hello, 

I am working in a SP-initiated project and we are the SP part. The IdP part want to send us a SAMLResponse with out signature.

1. Is it possible to receive a SAMLResponse no signed? If so, how could I configure it?

I am attaching some screenshots about the exception and the saml.config.





Thanks,
Jorge

Here are the SP Exception logs:


ComponentSpace.SAML2 Verbose: 0 : 130096/14: 8/16/2019 2:17:13 PM: Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Neither the SAML assertion nor response is signed.
ComponentSpace.SAML2 Verbose: 0 : 130096/14: 8/16/2019 2:17:13 PM:  at ComponentSpace.SAML2.InternalSAMLServiceProvider.VerifySAMLAssertionSignature(Object samlAssertion)
 at ComponentSpace.SAML2.InternalSAMLServiceProvider.GetSAMLAssertion(SAMLResponse samlResponse, XmlElement samlResponseElement)
 at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)
 at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
 at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, IDictionary`2& attributes, String& relayState)
 at MvcExampleServiceProvider.Controllers.SamlController.AssertionConsumerService() in C:\Users\jgarcia\Desktop\SAMLv20-evaluation\SAML for .NET\Examples\SSO\MVC\MvcExampleServiceProvider\Controllers\SamlController.cs:line 35
 at lambda_method(Closure , ControllerBase , Object[] )
 at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters)
 at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)
 at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters)
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c.<BeginInvokeSynchronousActionMethod>b__9_0(IAsyncResult asyncResult, ActionInvocation innerInvokeState)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_0.<InvokeActionMethodFilterAsynchronouslyRecursive>b__0()
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass7_0.<BeginInvokeActionMethodWithFilters>b__1(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_6.<BeginInvokeAction>b__4()
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
 at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
 at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
 at System.Web.Mvc.Controller.<>c.<BeginExecute>b__151_2(IAsyncResult asyncResult, Controller controller)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
 at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
 at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult)
 at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
 at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
 at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
 at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result)
 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.<>c__DisplayClass285_0.<ExecuteStepImpl>b__0()
 at System.Web.HttpApplication.StepInvoker.Invoke(Action executionStep)
 at System.Web.HttpApplication.StepInvoker.<>c__DisplayClass4_0.<Invoke>b__0()
 at Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule.OnExecuteRequestStep(HttpContextBase context, Action step)
 at System.Web.HttpApplication.<>c__DisplayClass284_0.<OnExecuteRequestStep>b__0(Action nextStepAction)
 at System.Web.HttpApplication.StepInvoker.Invoke(Action executionStep)
 at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
 at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
 at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)


JorgeGHS
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
It is possible but not recommended. If you don't verify the signature of the SAML response or SAML assertion you don't know who sent the message and this is extremely insecure.

The <PartnerIdentityProvider> includes the following flags with the default values shown.


<PartnerIdentityProvider
  Name="....."
  WantSAMLResponseSigned="false"
  WantAssertionSigned="false"
  WantAssertionOrResponseSigned="true"



WantSAMLResponseSigned requires that the SAML response is signed and its signature verifies.
WantAssertionSigned requires that the SAML assertion is signed and its signature verifies.
WantAssertionOrResponseSigned requires either the SAML assertion or response is signed and its signature verifies. This flag is meant as a convenience as you normally don't care which is signed as long as one is signed and the signature verifies. We default to true as this is the most common use case.

To turn off signature verification you must explicitly set WantAssertionOrResponseSigned to false.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search