signed authn request fails

cneberg cneberg at gmail.com
Tue Jul 30 15:12:48 EDT 2019 

I’ve got a COTS product I need to authenticate with shibboleth IDP
running 3.4.x.   The COTS product signs its saml 2 authn request –
which I don’t actually require and the idp fails to validate the
signature and of course the flow fails.

I don’t see any details about why it failed validating the signature
but I assumed maybe it was because the signature uses sha1.

I added this to the metadata provided by the application hoping it
would help but there was no change.     Does anyone have ideas about
what to try next?  (the error message, and saml authnrequest message
are below).

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="…" entityID="…">
    <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">

      <alg:SigningMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

      <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

    </md:Extensions>


And the error message is

Profile Action WebFlowMessageHandlerAdaptor: Exception handling message

org.opensaml.messaging.handler.MessageHandlerException: Validation of
protocol message signature failed

    at org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityHandler.java:147)

    at org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler.doInvoke(SAMLProtocolMessageXMLSignatureSecurityHandler.java:110)

    at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:95)

    at net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor.doExecute(WebFlowMessageHandlerAdaptor.java:200)

    at org.opensaml.profile.action.AbstractProfileAction.execute(AbstractProfileAction.java:117)

    at net.shibboleth.idp.profile.AbstractProfileAction.doExecute(AbstractProfileAction.java:155)

    at net.shibboleth.idp.profile.AbstractProfileAction.execute(AbstractProfileAction.java:127)

    at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

    at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)

    at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)

    at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)

    at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

    at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at org.springframework.webflow.engine.Flow.start(Flow.java:527)

    at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)

    at org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:234)

    at org.springframework.webflow.engine.SubflowState.doEnter(SubflowState.java:101)

    at org.springframework.webflow.engine.State.enter(State.java:194)

    at org.springframework.webflow.engine.Transition.execute(Transition.java:228)

    at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)

    at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)

    at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)

    at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)

    at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)

    at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)

    at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)



The SAML Request is
<?xml version="1.0" encoding="UTF-8"?>

<saml2p:AuthnRequest

    AssertionConsumerServiceURL="…”    Destination="…" ForceAuthn="false"

    ID="…" IsPassive="false" IssueInstant="2019-07-30T18:18:56.954Z"

    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"

    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">…</saml2:Issuer>

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

            <ds:Reference URI="#...">

                <ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                <ds:DigestValue>…..=</ds:DigestValue>

            </ds:Reference>

        </ds:SignedInfo>

        <ds:SignatureValue>….</ds:SignatureValue>

More information about the users mailing list