error processing incoming assertion: Message was signed, butsignature could not be verified.

Pavan Kishore Vuppada pavankishore.vuppada at broadcom.com
Fri Jul 3 15:03:50 UTC 2020 

Hi,

Thank you for the input. I have the deduced the same from my analysis. 
When I compare (digest, signature, certificate) the assertion on the IDP before it is encrypted with the assertion after decryption in the Shibboleth logs, they are identical. Yet, Shibboleth fails to validate it.

I tried below the setting which allows to pass unauthenticated messages, to confirm that encryption alone was not the problem. It is when the assertion is signed + encrypted.
<PolicyRule type="NullSecurity"/>

Is there any detailed log level or any other way that I can work with to understand the steps Shibboleth is performing during validation of assertion?

Thanks,
Pavan.

From: Christopher Bongaarts
Sent: Friday, July 3, 2020 3:55 AM
To: Shib Users; Pavan Kishore Vuppada
Cc: sreenivas.somavarapu at broadcom.com; Sapthapathi Bondili
Subject: Re: error processing incoming assertion: Message was signed, butsignature could not be verified.

On 7/2/2020 6:10 AM, Pavan Kishore Vuppada wrote:
I have configured Siteminder as IDP & Shibboleth as SP. 
I am trying to sign and encrypt the assertion. On the shibboleth side, it is not able to verify the signature. But if we individually either sign or encrypt assertion, it is working fine without any problems.
The error in the logs are very generic (Error - error processing incoming assertion: Message was signed, but signature could not be verified).
Is there a way to know what exactly has caused the failure? I have enabled DEBUG logging, but there is not much info. there. Can we check the part of XML / signature which is causing the problem ? 

Based on the log messages, it looks like it is successfully validating the SAML Response, successfully extracting and decrypting the Authentication Assertion, but failing to validate the Authentication Assertion.
-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200703/65b5c167/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4191 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20200703/65b5c167/attachment.p7s>

More information about the users mailing list