Unable to decode incoming request
Tom Scavo
trscavo at gmail.com
Tue Mar 13 12:38:34 EDT 2018
On Tue, Mar 13, 2018 at 12:19 PM, Tom Scavo <trscavo at gmail.com> wrote:
>
> On Tue, Mar 13, 2018 at 11:43 AM, Michael Dahlberg <olgamirth at gmail.com> wrote:
>>
>> I've
>> checked the X509 cert in their metadata and it looks good. Are there any
>> other reasons why the IdP would be unable to decode the request?
>
> You don't give enough information for me to be sure but my guess is
> that the IdP is rejecting a signature based on the SHA-1 digest
> algorithm.
You can easily check this by inspecting the signature itself (not the
signing certificate in metadata). What are the values of the following
attributes in the signed AuthnRequest?
@SignatureMethod
@DigestMethod
If the value of either attribute indicates SHA-1, that is your
problem. The easiest thing to do is just stop signing the request.
Tom
More information about the users
mailing list