Forums, Documentation & Knowledge Base - ComponentSpace

Implemting a Service Provider. ReceiveSSO gives the error: The SAML response isn't signed


https://componentspace.com/forums/Topic1412.aspx

By DannyStaten - 1/15/2015

So long as I have my SAML.config information for PartnerIdentityProvider to indicate that I don't want the response to be signed, I have been able to get up and running with my organization's identity provider just fine.  Using SSOTracer in firefox, I can see that the response does indeed have a certificate, and I have verified that the certificate contents match the contents that I have in the root of my MVC application (idp.cer).  From everything I can see, I should have a matching certificate to the one coming from my identity provider, but ReceiveSSO fails if I set the config to require a signed response.

Here is the SAML that I am receiving from the Identity provider (sanitized to remove any sensitive data)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      ID="s219873d3091bb908ee2178472917286104d932e27"
      InResponseTo="_371fa8d0-ce88-494e-b0ee-e25318b61c38"
      Version="2.0"
      IssueInstant="2015-01-15T22:28:12Z"
      Destination="http://localhost:8000/Auth/Receive"
      >
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">--removed--</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      Value="urn:oasis:names:tc:SAML:2.0:status:Success"
      />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      ID="s29947f21667d2aac359ee7e8ab2a3173299ce175f"
      IssueInstant="2015-01-15T22:28:12Z"
      Version="2.0"
      >
<saml:Issuer>gotTheNameRight</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#s29947f21667d2aac359ee7e8ab2a3173299ce175f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>zgATTUCLT1EHftyOUZwzZhEZw3k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
--Removed--
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
Removed but I actually direct coppied the real value and pasted it into the idp.cer file in between the begin and end comment dealios in that actual file.
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
     NameQualifier="gotTheNameRight"
     >3445376629984011</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_371fa8d0-ce88-494e-b0ee-e25318b61c38"
          NotOnOrAfter="2015-01-15T22:38:12Z"
          Recipient="http://localhost:8000/Auth/Receive"
          />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-01-15T22:18:12Z"
      NotOnOrAfter="2015-01-15T22:38:12Z"
      >
<saml:AudienceRestriction>
<saml:Audience>teacherapp-localdev</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2015-01-15T22:27:17Z"
       SessionIndex="s22f1b0a2660c5d0cf571740a4b5fe50f232857c04"
       >
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="policy-givenname">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >Daniel</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="policy-sn">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >Staten</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="policy-workforceid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >--removed--</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="policy-cn">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >dannystaten</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="policy-ldsaccountid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:type="xs:string"
       >--removed--</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>


Here is the saml config for our identity provider
<PartnerIdentityProvider Name="gotTheNameRight"
         SignAuthnRequest="false"
         WantSAMLResponseSigned="true"
         WantAssertionSigned="false"
         WantAssertionEncrypted="false"
         SingleSignOnServiceUrl="https://urldoeswork"
         SingleLogoutServiceUrl="https://differenturl"
         PartnerCertificateFile="idp.cer"/>

As I said, the SAML sign on experience works flawlessly until I tell my code that receives to require the signature on the response.  From everything I can see the signature is in the response, and I am configured correctly to accept the signature that has been returned.  Is there something about the signature value that I need to match in my configuration?
By DannyStaten - 1/16/2015

Thanks so much!  That did it.