ComponentSpace

Forums



SSO assertion error: The SAML response failed to verify and the assertion isn't signed.


SSO assertion error: The SAML response failed to verify and the...

Author
Message
Mike Oliver
Mike Oliver
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 11, Visits: 41
Hi - 

When a customer is trying to login via SSO to our app, the following error is being generated:

"The SAML response failed to verify and the assertion isn't signed."

**** ComponentSpace.Saml2.Exceptions.SamlSignatureException ****
at ComponentSpace.Saml2.SamlServiceProvider.VerifySamlAssertionSignatureAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
at Tdx.Itpa.Web.Controllers.SamlController.AssertionConsumerService() in C:\a\11\s\ITPA\TdxItpaWeb\Areas\General\Controllers\SamlController.cs:line 153

Questions:

- Does this mean what is seems to: the response from the customer includes an assertion that isn't signed? 
- What is the ComponentSpace configuration that indicates whether or not our app expects the assertion to be signed?
- We have implemented SSO via ComponentSpace in standard way - as such, would that mean that WantAssertionsSigned SP configuration should be true? Relatedly, should SP configuration of AuthnRequestsSigned be false?

Thank you,

Mike Oliver
TeamDynamix, Inc.



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Mike,

By default we attempt to verify either the SAML response signature or the SAML assertion signature.

The message indicates that the SAML response is signed, but the signature couldn't be verified, and the SAML assertion isn't signed.

Signature checking is controlled by the following flags that are part of the PartnerIdentityProviderConfiguration:

WantAssertionOrResponseSigned - either the SAML assertion or response must be signed (defaults to true)

WantSamlResponseSigned - the SAML response must be signed (defaults to false)

WantAssertionSigned - the SAML assertion must be signed (defaults to false)

For most scenarios, using the default configuration of WantAssertionOrResponseSigned is recommended.

For more information regarding this configuration, please refer to the Configuration Guide.

Signing the SAML authn request is unrelated to whether the SAML assertion or response is signed.

The most likely issue is that the wrong certificate is configured for the signature verification.

Please enable SAML trace and send the generated log file as an email attachment to [email protected].




Regards
ComponentSpace Development
Mike Oliver
Mike Oliver
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 11, Visits: 41
ComponentSpace - 9/12/2022
Hi Mike,

By default we attempt to verify either the SAML response signature or the SAML assertion signature.

The message indicates that the SAML response is signed, but the signature couldn't be verified, and the SAML assertion isn't signed.

Signature checking is controlled by the following flags that are part of the PartnerIdentityProviderConfiguration:

WantAssertionOrResponseSigned - either the SAML assertion or response must be signed (defaults to true)

WantSamlResponseSigned - the SAML response must be signed (defaults to false)

WantAssertionSigned - the SAML assertion must be signed (defaults to false)

For most scenarios, using the default configuration of WantAssertionOrResponseSigned is recommended.

For more information regarding this configuration, please refer to the Configuration Guide.

Signing the SAML authn request is unrelated to whether the SAML assertion or response is signed.

The most likely issue is that the wrong certificate is configured for the signature verification.

Please enable SAML trace and send the generated log file as an email attachment to [email protected].



Understood. Thank you for the very helpful clarifications! We are in the process of investigating the certificate being used by the customer.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search