ComponentSpace

Forums



SP Initiated Response Signed


SP Initiated Response Signed

Author
Message
NiallALynch
NiallALynch
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 1, Visits: 3
Hello, We develop an ASP.Net application and we use SAML as our SSO method for our clients who wish to use SSO. One of our clients now wants us to have all of our SP Initiated Responses signed but we have never done this for a customer before. Any help here would be greatly appreciated.
Redacted version of the client SAML.config file below:

  <?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
    <ServiceProvider Name="WoltersKluwer:OneSumXGRC:customer:Staging"
                AssertionConsumerServiceUrl="https:// applicationURL /wkcs/AppA/SAML/SSOLogin.aspx"
                SingleLogoutServiceUrl="https://applicationURL/customer/AppA/SAML/SSOLogout.aspx"
                LocalCertificateThumbprint=" xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "
                WantSAMLResponseSigned="true"
                WantAssertionSigned="true"
                />
    <!-- ADFS -->
    <PartnerIdentityProviders>
        <PartnerIdentityProvider Name="https://abc-defg.hj.client.net"
                                WantAssertionSigned="true"
                                WantSAMLResponseSigned ="true"
                                PartnerCertificateThumbprint="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                                SingleSignOnServiceUrl="https:// https://abc-defg.hj.client.net /idp/SSO.saml2"
                                SingleLogoutServiceUrl="https:// https://abc-defg.hj.client.net /idp/startSLO.ping"
                                SignLogoutRequest="true"/>
    </PartnerIdentityProviders>
</SAMLConfiguration>

The error that we see in our logs is:
<samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
  <samlp:StatusMessage>Signature required</samlp:StatusMessage>
</samlp:Status>

Thanks in advance.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Do you mean that the SAML authn request that's sent to the IdP as part of SP-initiated SSO should be signed?

Assuming so, include SignAuthnRequest="true" in your <PartnerIdentityProvider> configuration. This will cause the authn request to be signed using the <ServiceProvider> local certificate.


<PartnerIdentityProvider
  SignAuthnRequest="true"




Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search