Forums, Documentation & Knowledge Base - ComponentSpace

How to Sign Authnrequest


https://www.componentspace.com/forums/Topic11657.aspx

By fabio - 7/20/2021

Hello,
working with a client of ours that has WSO2 as IdP, he configured our SP in his system to enable signature validation in authentication requests. As in image below:


So i added the AuthnRequestsSigned=true in our SP metadata and a certificate for signing:
<?xml version="1.0"?>
<md:EntityDescriptor entityID="https://localhost:44348/" ID="_5a395540-574d-4515-904e-a148bb7dbf95" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor ID="_ea106eb2-1694-45f4-b751-b37c0e1efd30" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
  <md:KeyDescriptor use="signing">
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
   <X509Data>
    <X509Certificate>MIIFMjCCBBqgAwIBAgIQAQofDmj5p55qxJA20yQto...</X509Certificate>
   </X509Data>
  </KeyInfo>
  </md:KeyDescriptor>
  <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44348/SAML/AssertionConsumerService.aspx" index="0" isDefault="true" />
</md:SPSSODescriptor>
</md:EntityDescriptor>


But when I try to connect to the WSO2 Idp, I get the following error:
Signature validation for Authentication Request failed for the request of Issuer :https://issuerName in tenantDomain:carbon.super

The following is an example Auth req that is sent with the described scenario

<samlp:AuthnRequest ID="_0bef3e4d-4985-40d6-8bec-43e26790be2f"
       Version="2.0"
       IssueInstant="2021-07-21T10:05:08.796Z"
       Destination="https://localhost:9443/samlsso"
       ForceAuthn="false"
       IsPassive="false"
       ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       AssertionConsumerServiceURL="https://localhost:44348/SAML/AssertionConsumerService.aspx"
       xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:44348/</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
       AllowCreate="true"/>
</samlp:AuthnRequest>


It seems to me that then signature is missing in the request..

Where am I wrong?

Thank you,
Fabio
By ComponentSpace - 7/21/2021

Hi Fabio,

Make sure you've specified SignAuthnRequest="true" in your saml.config.


<PartnerIdentityProvider
  Name="https://ExampleIdentityProvider"
  SignAuthnRequest="true"



If the SAML authn request is being sent using the default HTTP-Redirect binding, the authn request won't include an XML signature. Instead, an HTTP-Redirect binding specific signature is used which is included as an additional query string parameter.

I suggest confirming that you've specified that authn requests should be signed and that the IdP has the correct certificate to verify these signatures.

The private key associated with your local certificate (eg your SP.PFX file) is used to sign the authn request. The IdP should be configured with the corresponding certificate (eg your SP.CER).