signature verification issues
Rene Paquin
rpaquin at wlu.ca
Fri Apr 23 11:42:10 UTC 2021
Hi Nate,
Thanks for the response. I have uploaded the metadata to samlTest and also downloaded their sp metadata and reconfigured and rebuilt from scratch but still cannot get this to work. Not sure where to go with this next.
Rene
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Nate Klingenstein
Sent: April 22, 2021 1:48 PM
To: Shib Users <users at shibboleth.net>; users at shibboleth.net
Subject: RE: signature verification issues
Rene,
Login was successful, but when your IdP went to sign a response or an assertion and send it back to SAMLtest, that signature was invalid when it was evaluated. That could be because the key in the metadata you've uploaded to SAMLtest doesn't match the key that you're using for signing, which is by far the most likely explanation, or it could hypothetically be because of a bug in the signing code, but since you're using 4.1 of a known working implementation, that pretty much narrows it down to a key mismatch.
You can replace your metadata on SAMLtest at any time by uploading new metadata with the same entityID and waiting for a few minutes for all caches to clear.
Take care,
Nate.
--------
Signet, Inc.
The Art of Access ®
https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.signet.id%2F&data=04%7C01%7Crpaquin%40wlu.ca%7Cefc6694573ac4fa49cee08d905b6dc9f%7Cb45a5125b29846bc8b89ea5a7343fde8%7C1%7C0%7C637547105204277849%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZcIQ1qGnjBB3judhcprFaRpUNHSfA59HcuhvixoVIaA%3D&reserved=0
-----Original message-----
From: Rene Paquin
Sent: Thursday, April 22 2021, 8:26 am
To: users at shibboleth.net
Subject: signature verification issues
With version 4.1 I am testing my SSO with samltest.id. When I attempt to authenticate using samltest I get errors:
2021-04-22 14:15:14 WARN OpenSAML.SecurityPolicyRule.XMLSigning [28388] [default]: unable to verify message signature with supplied trust engine
2021-04-22 14:15:14 WARN Shibboleth.SSO.SAML2 [28388] [default]: error processing incoming assertion: Message was signed, but signature could not be verified
However in the idp logs it shows as successful
2021-04-22 10:15:12,785 - 192.168.1.1 - INFO [net.shibboleth.idp.authn.impl.LDAPCredentialValidator:163] - Credential Validator ldap: Login by 'rpaquin' succeeded
2021-04-22 10:15:13,799 - 192.168.1.1 - INFO [Shibboleth-Audit.SSO:283] - 192.168.1.1|2021-04-22T14:14:55.457547Z|2021-04-22T14:15:13.798645Z|rpaquin|https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamltest.id%2Fsaml%2Fsp%257C_67ac3b88ddb2917757522c022381f3dc%257Cpassword%257C2021-04-22T14%3A15%3A12.792028Z%257Cuid%257CAAdzZWNyZXQxKIj6lHLOoY9vnC21XDbpxX8bgXF2QylAUmBU%2FD9G0xFFJn5QR8AenBbNt5u7o8vNMiBXVEtzDd3aGD6iZJOz60QZ4EW5oXugd%2BNeUCSPaO4VSqDQ7c3x0IYguLpQVA%3D%3D%257Ctransient%257Cfalse%257Cfalse%257CAES128-GCM%257CRedirect%257CPOST%257C%257CSuccess%257C%257C23e72cc82baf28d7bdac7625341d18169a3dcfed990f90c8e908e67f07d63403%257CMozilla%2F5.0&data=04%7C01%7Crpaquin%40wlu.ca%7Cefc6694573ac4fa49cee08d905b6dc9f%7Cb45a5125b29846bc8b89ea5a7343fde8%7C1%7C0%7C637547105204287848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=16IBuZvitGg4JIBvsOmizzYiat8iKOirBCwZCTmPNuw%3D&reserved=0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
So does this issue lie with the IDP or with the samlTest SP?
********************************
Rene Paquin - Systems Administrator
Wilfrid Laurier University
Waterloo, Ontario
(519)884-0710 x3795
rpaquin at wlu.ca <mailto:rpaquin at wlu.ca>
--
For Consortium Member technical support, see https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=04%7C01%7Crpaquin%40wlu.ca%7Cefc6694573ac4fa49cee08d905b6dc9f%7Cb45a5125b29846bc8b89ea5a7343fde8%7C1%7C0%7C637547105204287848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lhZRHiOTTmDOgfwINrHOTL7bV3jamxoirscTtRmDd0c%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=04%7C01%7Crpaquin%40wlu.ca%7Cefc6694573ac4fa49cee08d905b6dc9f%7Cb45a5125b29846bc8b89ea5a7343fde8%7C1%7C0%7C637547105204287848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lhZRHiOTTmDOgfwINrHOTL7bV3jamxoirscTtRmDd0c%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list