ComponentSpace

Forums



The SAML response isn't signed


The SAML response isn't signed

Author
Message
djacobus
djacobus
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 4, Visits: 12
Receiving the following error: "The SAML response isn't signed" although the flag is set, and cert is in place. Thoughts?
 
<PartnerIdentityProvider Name="websso.companyABC.com.saml2"
         SignAuthnRequest="false"
         WantSAMLResponseSigned="false"
         WantAssertionSigned="true"
         WantAssertionEncrypted="false"
         SingleSignOnServiceUrl="websso.companyABC.com.saml2"
         SingleLogoutServiceUrl="websso.companyABC.com.saml2"
 DisableAudienceRestrictionCheck="true"


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The error "The SAML response isn't signed" occurs if WantSAMLResponseSigned="true" and the SAML response doesn't include an XML signature.
In your configuration you have WantSAMLResponseSigned="false" and WantAssertionSigned="true". This means that it's expected that the SAML assertion will be signed rather than the SAML response.
I would like to see the SAML response you are receiving.
Could you please enable SAML trace and send me the generated log file as an email attachment to [email protected]? Please mention this post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Regards
ComponentSpace Development
djacobus
djacobus
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 4, Visits: 12
My fault when I pasted the original. That flag is set to true and fails, I copied the current setting which is false so the sso works temporarily.
djacobus
djacobus
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 4, Visits: 12
This is the configuration that causes the error: "The SAML response isn't signed". 

<PartnerIdentityProvider Name="websso.companyABC.com.saml2"
   SignAuthnRequest="false"
   WantSAMLResponseSigned="true"
   WantAssertionSigned="true"
   WantAssertionEncrypted="false"
   SingleSignOnServiceUrl="websso.companyABC.com.saml2"
   SingleLogoutServiceUrl="websso.companyABC.com.saml2"
   CertificateFile="idp.cer"/>
We want to sign the response using the provided cert from the client while they use our cert to sign the assertion. If I set the WantSAMLResponseSigned="false" then it works. I had the client resend the cert which we renamed to idp.cer. I would expect this to work, however it's generating the error noted above. Any thoughts as to why it would not use the cer file? 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K

Your configuration expects the SAML response from the partner identity provider to be signed. It will use the idp.cer certificate to verify the signature if present.
Please note that there's a difference between signing the SAML response and signing the SAML assertion. The SAML response includes the SAML assertion. Either the entire SAML response, which includes the SAML assertion, may be signed or just the SAML assertion may be signed.
If just the SAML assertion is signed then you need to set WantSAMLResponseSigned to false and WantAssertionSigned to true.
That means in your current configuration set WantSAMLResponseSigned to false and leave WantAssertionSigned set to true.



Regards
ComponentSpace Development
Prashant
Prashant
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 8, Visits: 18
Hi Team ,

I'm trying to utilise Onelogin in component space, but I'm encountering an error on the "AssertionConsumerService" page. For your information, I've pasted the saml configuration below. Tell me how to download the certificate if this is a certificate error so I can prevent it. I am using sample code download from you site "https://www.componentspace.com/saml-for-asp-net" 

<PartnerIdentityProvider
  Name="xyx"
  Description="OneLogin"
  SingleSignOnServiceUrl="xyz"
  SingleLogoutServiceUrl="xyz">

  <PartnerCertificates>
   <Certificate FileName="Certificates\onelogin.cer" />
  </PartnerCertificates>
  </PartnerIdentityProvider>

</PartnerIdentityProviders>
[SAMLSignatureException: The SAML assertion signature failed to verify.]

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The OneLogin certificate is included in the SAML metadata that may be downloaded through the OneLogin admin console. The SAML metadata includes the certificate as a base-64 encoded string.

Alternatively, please enable SAML trace and send the generated log file as an email attachment to [email protected].

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

We can confirm that the issue is the wrong certificate and retrieve the certificate embedded in the signature. 

Regards
ComponentSpace Development
Prashant
Prashant
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 8, Visits: 18
ComponentSpace - 10/11/2023
The OneLogin certificate is included in the SAML metadata that may be downloaded through the OneLogin admin console. The SAML metadata includes the certificate as a base-64 encoded string.

Alternatively, please enable SAML trace and send the generated log file as an email attachment to [email protected].

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

We can confirm that the issue is the wrong certificate and retrieve the certificate embedded in the signature. 

When I am downloading the certificate from Onelogin , I have getting extension as .pem how to embedd .pem in this code ?

thanks ! 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Typically .PEM files are the same as .CER files.

Can you open the .PEM file in a text editor? Does it contain a base-64 encoded string?

If so, use the .PEM the same as you would a .CER. In your SAML configuration, replace  <Certificate FileName="Certificates\onelogin.cer" /> with a reference to the .PEM file.

Regards
ComponentSpace Development
Prashant
Prashant
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 8, Visits: 18
ComponentSpace - 10/11/2023
Typically .PEM files are the same as .CER files.

Can you open the .PEM file in a text editor? Does it contain a base-64 encoded string?

If so, use the .PEM the same as you would a .CER. In your SAML configuration, replace  <Certificate FileName="Certificates\onelogin.cer" /> with a reference to the .PEM file.

Thanks Certificate is imported , but now I am getting below error;

While logout from application I am getting below error ; Even i am giving my SAML.Config , Please let me know what changes need to make for this issue 

"The logout response isn't signed."


<ServiceProvider
  Name="https://localhost:44338"
  Description="Example Service Provider"

  AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService.aspx">
  <LocalCertificates>
  <Certificate FileName="Certificates\sp.pfx" Password="password"/>
  </LocalCertificates>
</ServiceProvider>

<!-- OneLogin -->
  <PartnerIdentityProvider
  Name="XYZ"
  Description="OneLogin"
 SignAuthnRequest="false"
   WantSAMLResponseSigned="false"
   WantAssertionSigned="true"
   WantAssertionEncrypted="false"
  SingleSignOnServiceUrl="XYZ"
  SingleLogoutServiceUrl="XYZ"
SignLogoutRequest="true"
SignLogoutResponse="true" >

  <PartnerCertificates>
   <Certificate FileName="Certificates\ProchantOnelogin.der" />
  </PartnerCertificates>
  </PartnerIdentityProvider>


GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search