IDP sending empty SignatureValue in ArtifactResponse

Cantor, Scott cantor.2 at
Tue Sep 17 11:51:15 EDT 2019

Just eyeballing, my supposition is that the assertion signing might be connected to the bug. The order of operations looks off to me, and I think it may be signing it a second time in a place that would corrupt the Response signature, so that would be a plausible idea. If the SP required assertion signing and the rest don't, that would explain the difference.

-- Scott

On 9/17/19, 10:12 AM, "Cantor, Scott" <cantor.2 at> wrote:

On 9/17/19, 9:54 AM, "users on behalf of Malo Toudic" <users-bounces at on behalf of malo.toudic at> wrote:

> You will find the logs attached. I have anonymized the logs (URL and  certificates only).

It's the ArtifactResponse that would normally be signed (if anything were signed), and it's the Response inside it that's broken.
The assertion here is also being signed, so this is a very strange "desired" result to begin with. I suspect there's a signing setting interaction with the three different layers that's getting things mixed up. It has to be something in a relying party override affecting the response signing settings to be specific to one SP.

You'd need to file a bug with a fairly complete config example and a good log trace. If you want to keep it confidential you can set the Security Level to vulnerability (not that it is one, but it would limit the visibility of the issue).

-- Scott

More information about the users mailing list