Error: Simple signature validation (with no request-derived credentials) failed

Ryan Rumbaugh rrumbaugh at nebraska.edu
Fri Apr 1 14:35:18 UTC 2022 

Thanks for the reply.

A bit of follow up information, I assumed the issue was due to the SP signing their authentication requests using a different key (I suggested they stop that), but I thought to prove my case I’ll attempt an IdP-initiated login and it turns out I still get an immediate exception. This time I see the following in the logs.

No credentials could be extracted from KeyInfo child with QName (http://www.w3.org/2000/09/xmldsig#)x509Data by any registered provider
Validation failure: Failed to resolve both a data and a key encryption credential
Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters

The only thing that seems different about this SP is they use sha512 instead of sha256, but I’m assuming Shib supports sha512 just fine. Thanks for any suggestions.

--
Ryan Rumbaugh


From: Cantor, Scott <cantor.2 at osu.edu>
Date: Friday, March 25, 2022 at 10:39 AM
To: Shib Users <users at shibboleth.net>
Cc: Ryan Rumbaugh <rrumbaugh at nebraska.edu>
Subject: Re: Error: Simple signature validation (with no request-derived credentials) failed
Non-NU Email

On 3/25/22, 11:14 AM, "users on behalf of Ryan Rumbaugh via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    Hi all, I’m working with a vendor (Critical Labs) to try and determine why I’m getting the following exception.
> Searching the list, I think this occurs when a SP signs an authn request with a different key than what is in
> metadata. According to the vendor that is not the case,

I would assume the vendor's wrong.

> and FWIW I used the SAML authn request validator at https://urldefense.com/v3/__https://www.samltool.com/validate_authn_req.php__;!!PvXuogZ4sRB2p-tU!U3vKzdKQYi3_4OB3wtt5hXyLtHGXzGSCk_SSLaMvEuCso2-S-PkaUCyzOz_GnuUSO-Sx$<https://urldefense.com/v3/__https:/www.samltool.com/validate_authn_req.php__;!!PvXuogZ4sRB2p-tU!U3vKzdKQYi3_4OB3wtt5hXyLtHGXzGSCk_SSLaMvEuCso2-S-PkaUCyzOz_GnuUSO-Sx$>
> and it checks out.

Perhaps the metadata is wrong but you're pulling the key artificially in some way for the test. Maybe it's marked use="encryption". Or maybe that's not the metadata the IdP is using.

-- Scott


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220401/5a94d779/attachment.htm>

More information about the users mailing list