Signature is invalid message from IDP #244
Comments
|
Does your testing work when signing is disabled? Maybe it's an issue with what your IdP is expecting of signed requests. |
|
I have tried disabling the signing as follows: However, I still get the same error from the IDP I have also sent this issue to the saml_idp gem and he asked me if the logout request has been signed. I am quite confused and do not know where the problem lies. |
|
Looks like the IdP requires signing for logout requests: https://github.com/saml-idp/saml_idp/blob/75ac2f1673e919d7c66a668c40f78e55b96195eb/lib/saml_idp/request.rb#L118 I'm not sure where it's getting your SP's fingerprint from, but it looks like maybe that's missing. It looks like it defaults to this one: https://github.com/saml-idp/saml_idp/blob/75ac2f1673e919d7c66a668c40f78e55b96195eb/lib/saml_idp/default.rb#L27. Does your |
|
Yes, I'm using the default certificate and secret key in the Here is my logout request encoded XML: And this is signature of the logout request: I have tried to validate it by https://www.samltool.com/validate_logout_req.php and got a valid message. I think you are right that the error is coming from the IDP. |
I'm using saml-idp gem as a IDP and using destroy_user_sso_session_path to sign out of SP and IDP, but logout request has been rejected by IDP with message
Signature is invalid.This is my saml configuration below:
config.saml_configure do |settings| settings.assertion_consumer_service_url = "#{saml_sp_host}/users/saml/auth" settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" settings.sp_entity_id = "#{saml_sp_host}/users/saml/metadata" settings.idp_sso_service_url = "#{saml_idp_host}/saml/auth" settings.idp_slo_service_url = "#{saml_idp_host}/saml/logout" settings.idp_slo_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" settings.idp_cert = "-----BEGIN CERTIFICATE-----\n#{ENV["SAML_IDP_SECRET_KEY"]}\n-----END CERTIFICATE-----" settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" settings.single_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" settings.security[:authn_requests_signed] = true settings.security[:logout_requests_signed] = true settings.security[:logout_responses_signed] = true settings.security[:metadata_signed] = true settings.security[:digest_method] = XMLSecurity::Document::SHA1 settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 settings.security[:embed_sign] = false settings.security[:want_assertions_signed] = true endThis is my logout request encoded XML:
fZFNS8QwEIb/Sm85xU7TrzRsC8IiLKweVDx4WdI06xbapGam4M+33XpYFLwEMrzPPDPJDvU4TOroP/xMz/ZztkjRfjl6p6n3rmYXoknF8eCNHi4eSaUAEK/YUlspFh32NTtBAnDOZcqFzCXPdGp4m3XAs7LIKp2ci6SslijibA8OSTuqmQCR8iThonyFSgGoPHln0ZsNeFWLO2DR1zg4VKuvZnNwymvsUTk9WlRk1Mv941EtQaURbVhHvkWm/5kpePLGD6zZrWl1nS40f1aWICGel/64LT5a0p0mvYtvsa3H02I57KMHH0ZN/+vXSt/x8zWqKGiHvXXEmpNoy7I1puVdlRc8AymXx7SWF7lsjRBSSGN/5Juv2W6/frL5Bg==Have I made a mistake or missed something?
The text was updated successfully, but these errors were encountered: