Message was signed, but signature could not be verified.
Goldberg, Arthur P
arthur.p.goldberg at mssm.edu
Tue Jul 12 18:19:38 UTC 2022
Hi Shibboleth folks
I’m confident that I understand the principle behind the “Message was signed, but signature (sic) could not be verified” error: SAML messages sent by the IdP to the SP are digitally signed by the IdP so that the SP can verify that they come from the IdP. To achieve this, during configuration the IdP managers create a private – public key pair, loads the public key into a certificate, embeds the certificate in a metadata file, and shares the metadata file with the SP manager (me, in this case). The SP manager then loads the metadata into the SP Shibboleth / shibd configuration, as I describe below.
Is this correct?
Given this, how does one DIRECTLY confirm that shibd is properly configured to verify messages sent by its configured IdP? For example, while shibd writes this during startup to the log:
2022-07-12 12:38:21 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/etc/shibboleth/AzureIdPMetadata.xml)
that does not come close to saying that a particular attribute in the metadata in this xml file contains a certificate that will (or will not) be able to verify messages sent by the IdP.
Thanks
Arthur
From: "Goldberg, Arthur P" <arthur.p.goldberg at mssm.edu>
Date: Monday, July 11, 2022 at 1:09 PM
To: Shib Users <users at shibboleth.net>
Subject: Message was signed, but signature could not be verified.
The “Message was signed, but signature could not be verified.” is documented a https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335423/CommonErrors#Message-was-signed,-but-signature-could-not-be-verified., which says, initially
The certificate that was used to sign the message didn't match the one the SP expected based on metadata. That can be caused by, in order of likelihood:
1. The certificate in the metadata is different from the one configured for the IdP, and hence, the one in the message. …
Consistent with this, shibd.log & shibd_warn.log contain:
2022-07-11 13:05:06 WARN Shibboleth.SSO.SAML2 [1] [default]: detected a problem with assertion: Message was signed, but signature could not be verified.
2022-07-11 13:05:06 WARN Shibboleth.SSO.SAML2 [1] [default]: error processing incoming assertion: Message was signed, but signature could not be verified.
Is it correct that the “certificate … configured for the IdP [at the SP]” is given by this chain of references?
1. shibd is configured by /etc/shibboleth/shibboleth2.xml
2. The MetadataProvider element shibboleth2.xml contains a path attribute, which names a file, call AzureIdPMetadata.xml in my system, that contains the metadata describing the IdP.
3. AzureIdPMetadata.xml contains a certificate, identified by the nested elements EntityDescriptor.Signature.KeyInfo.X509Data.X509Certificate (where the dot notation indicates nesting).
I’m simultaneously verifying with the IdP managers that this certificate in AzureIdPMetadata.xml is the IdP’s certificate which is used to communicate with my SP.
Running shibboleth 3.2.2.
Thanks
Arthur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220712/42c5206a/attachment.htm>
More information about the users
mailing list