ComponentSpace

Forums



How to Sign Authnrequest


How to Sign Authnrequest

Author
Message
fabio
fabio
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)

Group: Forum Members
Posts: 20, Visits: 88
Hello,
working with a client of ours that has WSO2 as IdP, he configured our SP in his system to enable signature validation in authentication requests. As in image below:


So i added the AuthnRequestsSigned=true in our SP metadata and a certificate for signing:
<?xml version="1.0"?>
<md:EntityDescriptor entityID="https://localhost:44348/" ID="_5a395540-574d-4515-904e-a148bb7dbf95" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor ID="_ea106eb2-1694-45f4-b751-b37c0e1efd30" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
  <md:KeyDescriptor use="signing">
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
   <X509Data>
    <X509Certificate>MIIFMjCCBBqgAwIBAgIQAQofDmj5p55qxJA20yQto...</X509Certificate>
   </X509Data>
  </KeyInfo>
  </md:KeyDescriptor>
  <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44348/SAML/AssertionConsumerService.aspx" index="0" isDefault="true" />
</md:SPSSODescriptor>
</md:EntityDescriptor>


But when I try to connect to the WSO2 Idp, I get the following error:
Signature validation for Authentication Request failed for the request of Issuer :https://issuerName in tenantDomain:carbon.super

The following is an example Auth req that is sent with the described scenario

<samlp:AuthnRequest ID="_0bef3e4d-4985-40d6-8bec-43e26790be2f"
       Version="2.0"
       IssueInstant="2021-07-21T10:05:08.796Z"
       Destination="https://localhost:9443/samlsso"
       ForceAuthn="false"
       IsPassive="false"
       ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       AssertionConsumerServiceURL="https://localhost:44348/SAML/AssertionConsumerService.aspx"
       xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:44348/</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
       AllowCreate="true"/>
</samlp:AuthnRequest>


It seems to me that then signature is missing in the request..

Where am I wrong?

Thank you,
Fabio
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Fabio,

Make sure you've specified SignAuthnRequest="true" in your saml.config.


<PartnerIdentityProvider
  Name="https://ExampleIdentityProvider"
  SignAuthnRequest="true"



If the SAML authn request is being sent using the default HTTP-Redirect binding, the authn request won't include an XML signature. Instead, an HTTP-Redirect binding specific signature is used which is included as an additional query string parameter.

I suggest confirming that you've specified that authn requests should be signed and that the IdP has the correct certificate to verify these signatures.

The private key associated with your local certificate (eg your SP.PFX file) is used to sign the authn request. The IdP should be configured with the corresponding certificate (eg your SP.CER).




Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search