ComponentSpace

Forums



"Failed to verify signature on HTTP redirect message" on ReceiveLogoutMessageByHTTPRedirect


"Failed to verify signature on HTTP redirect message" on...

Author
Message
kuroczyd
kuroczyd
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 9
I am trying to understand why I get the error "Failed to verify signature on HTTP redirect message" when a user tries to logout from an SSO session.
It is not the first time I am using  ComponentSpace SAML2 : we have a dozen of customers using the component and the login works well for them.
I suppose that there is something in the customer settings, certificate....
Can you advise what to look at and check ?
Thanks a lot


Stack Trace:
[SAMLSignatureException: Failed to verify signature on HTTP redirect message.] ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.CheckSignature(String redirectURL, String encodedSignature, String messageQueryName, AsymmetricAlgorithm key, String signatureAlgorithm) +459 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.VerifyResponseSignature(HttpRequestBase httpRequest, String signatureAlgorithm, String signature, AsymmetricAlgorithm key) +95 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.ReceiveMessage(HttpRequestBase httpRequest, XmlElement& samlMessage, String& relayState, Boolean& isRequest, Boolean& signed, AsymmetricAlgorithm key) +259 ComponentSpace.SAML2.Profiles.SingleLogout.SingleLogoutService.ReceiveLogoutMessageByHTTPRedirect(HttpRequestBase httpRequest, XmlElement& logoutMessage, String& relayState, Boolean& isRequest, Boolean& signed, AsymmetricAlgorithm key) +73
...



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The most likely cause is a configuration mismatch between the private key used by the partner to sign the message and the certificate you use to verify the signature.

Please double check with the partner that you're using the correct certificate. If this was previously working, it's possible they rolled over to a new certificate and didn't mentioned this to you. 

Regards
ComponentSpace Development
kuroczyd
kuroczyd
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 9
ComponentSpace - 2/15/2022
The most likely cause is a configuration mismatch between the private key used by the partner to sign the message and the certificate you use to verify the signature.

Please double check with the partner that you're using the correct certificate. If this was previously working, it's possible they rolled over to a new certificate and didn't mentioned this to you. 

Does it seem to be that for you if we use the same certificate for the login and it works?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Ok, that blows that theory.

Please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Please include both the successful SSO and failing SLO in the log.

Regards
ComponentSpace Development
kuroczyd
kuroczyd
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 9
ComponentSpace - 2/16/2022
Ok, that blows that theory.

Please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Please include both the successful SSO and failing SLO in the log.

Here they are
Attachments
LOGIN-2022-02-16.log (2 views, 83.00 KB)
LOGOUT-2022-02-16.log (2 views, 25.00 KB)
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for the logs.

The login log shows the SAML assertion is being decrypted but the SAML assertion signature isn't being verified. Please ensure the signature is verified successfully before trusting the SAML assertion.

I grabbed the certificate embedded in the SAML assertion and was able to verify the signature of the SAML logout response using this certificate.

The correct certificate to use for verifying the SAML assertion signature and the SAML logout response signature is the ADFS signing certificate with the serial number "3eb06e5d94affd9b42b243d43ef5d82d".

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The most common reason is that you have the wrong certificate configured.

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected]

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search