ComponentSpace

Forums



The SAML response signature failed to verify


The SAML response signature failed to verify

Author
Message
fabio
fabio
New Member
New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)

Group: Forum Members
Posts: 15, Visits: 72
Hello,

a customer idp partner of our is changing his own configuration he used to have to connect to our SP.
He said that he changed from 

A signed SAML Response with an unsigned Assertion/SAMLResponse with Signed Message

to

SAML Response with SignedMessage & Assertion

This generates this error



The problem was fixed on his side reverting this change.
Could you please provide me further information to better understand this scenario?

Thank you
Fabio


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.5K
Hi Fabio,

Either scenario should work.

For the error scenario, please enable SAML trace and send the generated log file as an email attachment mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

If possible, it would be good to capture both scenarios in the log for comparison.

Regards
ComponentSpace Development
fabio
fabio
New Member
New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)

Group: Forum Members
Posts: 15, Visits: 72
ComponentSpace - 8/30/2021
Hi Fabio,

Either scenario should work.

For the error scenario, please enable SAML trace and send the generated log file as an email attachment mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

If possible, it would be good to capture both scenarios in the log for comparison.

Thank you, email sent!

Fabio
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.5K
Thanks for the log.

This is a known issue in the .NET framework’s System.Security.Cryptography.Xml.SignedXml class. It’s been reported to Microsoft but there isn’t a fix yet.

https://github.com/dotnet/corefx/issues/41668

The issue is related to “
” carriage return entity references that are included by some Java implementations.

The best option is to ignore the SAML message signature and only verify the SAML assertion signature. This doesn’t present any security issues.

You could ask the identity provider to sign the SAML assertion only.

Alternatively, change the PartnerIdentityProviderConfiguration to:

"WantAssertionOrResponseSigned": false,
"WantAssertionSigned": true,


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 5 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search