[EXT]: Re: The request cannot be fulfilled because the message received does not meet the security requirements of the login service

Wismer, Doug Doug.Wismer at ellucian.com
Mon Nov 7 20:37:16 UTC 2022 

Hi Nate,

Thanks for the reply.  The vendor is indicating that signing the authentication request is necessary.  And this is the only client experiencing such and issue.  Wondering if you have any other suggestions.

Thanks,
-Doug

From: Nate Klingenstein <ndk at sudonym.me>
Sent: Friday, October 28, 2022 1:13 PM
To: Shib Users <users at shibboleth.net>
Cc: Wismer, Doug <Doug.Wismer at ellucian.com>
Subject: [EXT]: Re: The request cannot be fulfilled because the message received does not meet the security requirements of the login service

**External Email**
Doug,

It looks like the vendor is signing authentication requests, which is of dubious value for most cases.  The signature won't show up in the XML with the HTTP-Redirect binding; it should be present in the URL.

You have two options: get the vendor to stop signing authentication requests if it adds no value in your scenario, or make sure that the signature is calculated correctly and that the corresponding public key is present in their metadata with use="signing" or no use listed.

I would be a little suspicious if you're using their vouched-for metadata and signature validation is still failing.  If they're doing everything right, that shouldn't be happening.

Hope this helps,
Nate

On Fri, Oct 28, 2022 at 1:00 PM Wismer, Doug via users <users at shibboleth.net<mailto:users at shibboleth.net>> wrote:
Trying to find the reason for this error.  "The request cannot be fulfilled because the message received does not meet the security requirements of the login service"

The Metadata config has been checked and is per the vendor's recommendation.

Not seeing errors, but warnings.

2022-10-27 15:11:46,668 - DEBUG [PROTOCOL_MESSAGE:127] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
    AssertionConsumerServiceURL=https://somesp.somesp.com/saml-prodtest/token<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsomesp.somesp.com%2Fsaml-prodtest%2Ftoken&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788130019%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GA%2BvuT%2BNPVks8bapbak2POPsiurynlotTnUSRJFWhdA%3D&reserved=0>
    Destination=https://sso.it.utsa.edu/idp/profile/SAML2/Redirect/SSO<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsso.it.utsa.edu%2Fidp%2Fprofile%2FSAML2%2FRedirect%2FSSO&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788286275%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hlQ1kWwF3ybDP%2Bs6vHO%2BnpcOFOQE5UDeqNbIIebP9U0%3D&reserved=0>
    ID="_d0fd17d8c3c271dd00e5" IssueInstant="2022-10-27T20:11:37.505Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://host.someissuer.com/</saml:Issuer<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhost.someissuer.com%2F%253c%2Fsaml%3AIssuer&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788286275%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DjJ3QDgRmAi9QDaKBcpT7m7dKi4niGIi3wn%2F3sfwrrw%3D&reserved=0>>
    <samlp:NameIDPolicy AllowCreate="true"
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"/>
    <samlp:RequestedAuthnContext Comparison="exact" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

2022-10-27 15:11:46,760 - WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:277] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - Message Handler:  Simple signature validation (with no request-derived credentials) failed
2022-10-27 15:11:46,761 - WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:214] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - Message Handler:  Validation of request simple signature failed for context issuer: https://host.someissuer.com/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhost.someissuer.com%2F&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788442498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2hw1WOI6w1uBxDV0BVRxFdQtGT8proecqUoyFCVBBys%3D&reserved=0>
2022-10-27 15:11:46,762 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message
org.opensaml.messaging.handler.MessageHandlerException: Validation of request simple signature failed for context issuer
        at org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler.doEvaluate(BaseSAMLSimpleSignatureSecurityHandler.java:216)
2022-10-27 15:11:46,765 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - A non-proceed event occurred while processing the request: MessageAuthenticationError

Any help diagnosing is appreciated.  Thanks.
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788442498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7luTDebfVO0yWdyMm9fyT54k2EMqGdu0y1C%2Ffgzsiak%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221107/9b389847/attachment.htm>

More information about the users mailing list