AuthnRequests must be signed, but inbound message was not signed for IDP initiated SSO

Abhishek Chouksey abhishekchouksey10 at gmail.com
Thu Dec 3 14:12:37 UTC 2020 

Hi,

*I am new to shibboleth and working on configuring our IdP  with
FortiPortal. We want to use*

*IdP initiated SSO, and we also use IdP initiated SSO for some other
vendors and those working fine*

*My question is related to use of **AuthnRequestsSigned="true" **in
the FortiPortal SP metadata. In their metadata *AuthnRequestsSigned
attribute is* set it to true,*

* as they would like it set, then I get this error on the*

*IdP:
*ERROR [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:87]
- SPSSODescriptor for entity ID '-----' indicates AuthnRequests must
be signed, but inbound message was not signed

16:44:54.524 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406]
- Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest
was required to be signed but was not* Is there a way to configure IdP
initiated SSO for AuthnRequestsSigned="true"
** without breaking our other IdP initiated SSO implementations? what
changes can we do in relying party to resolve this issue?*

*These config are present in my relying-party.xml:*


  <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
                                 assertionLifetime="PT5M"
assertionProxyCount="0"
                                 signResponses="conditional"
signAssertions="always"
                                 encryptAssertions="never"
encryptNameIds="never"
                                 includeConditionsNotBefore="true"/>

<security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy"
xsi:type="security:SecurityPolicyType">
        <security:Rule xsi:type="samlsec:Replay"/>
        <security:Rule xsi:type="samlsec:IssueInstant"/>
        <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
trustEngineRef="shibboleth.SignatureTrustEngine"/>
        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine"/>
        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine"/>
        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
    </security:SecurityPolicy>

Is there any changes can be done in these so it works fine and I want
to add one more point if I comment

 <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>

this line then it does not show error in log but I get redirect to
fortiportal errorSamlSSO page
:https:<Forti_Portal>/fpc/login/errorSamlSSO

Can anyone please suggest me the way what changes can be done at IDP
side so that AuthRequest get signed.





*Thanks and Regards,*

*Abhishek*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201203/9cd762e4/attachment.htm>

More information about the users mailing list