ComponentSpace

Forums



Neither the SAML assertion nor response is signed


Neither the SAML assertion nor response is signed

Author
Message
mcc5al
mcc5al
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 12
Hi,

I have just change the configuration of my ASP.NET MVC serivce provider to support a different identity provider by modifying the web.config and saml.config. For a reason I cannot figure out it generates the error 'Neither the SAML assertion nor response is signed' when recieves the SAML response and it calls the SAMLServiceProvider.ReceiveSSO method from AssertionConsumerService() in my MVC site. Using SAML tracer, the incoming SAML  response looks correct, so why is it generating the error. The singing values of the entry in the saml.conifg looks like this:

       SignAuthnRequest="false"
        WantSAMLResponseSigned="false"
        WantAssertionSigned="false"
        WantAssertionEncrypted="false"

So under what circumstances would it generate this error - see attachement.

I suspect it is a configuration issue, but how does it match the incoming SAML response to the entry in the saml.conifg?

Regards,
Michael




Attachments
error2.jpg (3 views, 1.00 MB)
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Michael
By default we expect either the SAML response or assertion to be signed.
If you want to disable this, specify WantAssertionOrResponseSigned="false".
However, in production you should require either the SAML response or assertion to have a verified signature.

Regards
ComponentSpace Development
mcc5al
mcc5al
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 12
ComponentSpace - 7/3/2018
Hi Michael
By default we expect either the SAML response or assertion to be signed.
If you want to disable this, specify WantAssertionOrResponseSigned="false".
However, in production you should require either the SAML response or assertion to have a verified signature.

Hi,
I have just added this to the saml.config and it fixed the issue.
Many thanks for your help and quick response.

Regards,
Michael



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
phanirajraichooti
phanirajraichooti
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Awaiting Activation
Posts: 1, Visits: 1
ComponentSpace - 7/3/2018
Hi Michael
By default we expect either the SAML response or assertion to be signed.
If you want to disable this, specify WantAssertionOrResponseSigned="false".
However, in production you should require either the SAML response or assertion to have a verified signature.

Hi Michael,

Thank you for your input, I am facing a similar issue and the error is suppressed when I add the flag you provided.
I would like to understand the root cause of the issue, is the IDP response/assertion missing the verified signature due to a setting that can be enabled in SP request, or is it up to IDP to include signatures?

I just want to ensure that this behavior is not due to a missing configuration in the original SAML request from the service provider application.

Thanks in advance,
Phaniraj
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Phaniraj,

Normally it's the IdP that decides whether to sign the SAML assertion or response. There's nothing in the SAML authn request from the SP that determines what will be signed by the IdP.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search