[EXT]: Re: The request cannot be fulfilled because the message received does not meet the security requirements of the login service

Nate Klingenstein ndk at signet.id
Mon Nov 7 20:49:55 UTC 2022 

Doug,

If they insist on signing their AuthnRequests, then you get to insist that the signature be valid and that a matching certificate be in their metadata with use="signing" or no use attribute at all, which implies either signing or encryption use is okay.  I would double-check that there is even such a certificate in their metadata.  Presuming there is, ask them to make sure it matches the private key they're using to sign.

Something in the signature verification is failing, and unfortunately, you have limited information on your side to determine precisely why.  What I've told you is about all anyone is going to be able to tell you except for them.

Sorry to not have more,
Nate

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

-----Original message-----
From: Wismer, Doug via users
Sent: Monday, November 7 2022, 1:37 pm
To: Nate Klingenstein; Shib Users
Cc: Wismer, Doug
Subject: RE: [EXT]: Re: The request cannot be fulfilled because the message received does not meet the security requirements of the login service

Hi Nate,

Thanks for the reply.  The vendor is indicating that signing the authentication request is necessary.  And this is the only client experiencing such and issue.  Wondering if you have any other suggestions.

Thanks,

-Doug

From: Nate Klingenstein <ndk at sudonym.me>

Sent: Friday, October 28, 2022 1:13 PM

To: Shib Users <users at shibboleth.net>

Cc: Wismer, Doug <Doug.Wismer at ellucian.com>

Subject: [EXT]: Re: The request cannot be fulfilled because the message received does not meet the security requirements of the login service

**External Email**

Doug,

It looks like the vendor is signing authentication requests, which is of dubious value for most cases.  The signature won't show up in the XML with the HTTP-Redirect binding; it should be present in the URL.

You have two options: get the vendor to stop signing authentication requests if it adds no value in your scenario, or make sure that the signature is calculated correctly and that the corresponding public key is present in their metadata
 with use="signing" or no use listed.

I would be a little suspicious if you're using their vouched-for metadata and signature validation is still failing.  If they're doing everything right, that shouldn't be happening.

Hope this helps,

Nate

On Fri, Oct 28, 2022 at 1:00 PM Wismer, Doug via users <users at shibboleth.net <mailto:users at shibboleth.net>> wrote:

Trying to find the reason for this error.  “The request cannot be fulfilled because the message received does not meet the security requirements of the login service”

The Metadata config has been checked and is per the vendor’s recommendation.

Not seeing errors, but warnings.

2022-10-27 15:11:46,668 - DEBUG [PROTOCOL_MESSAGE:127] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 -

<?xml version="1.0" encoding="UTF-8"?>

<samlp:AuthnRequest

    AssertionConsumerServiceURL=https://somesp.somesp.com/saml-prodtest/token <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsomesp.somesp.com%2Fsaml-prodtest%2Ftoken&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788130019%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GA%2BvuT%2BNPVks8bapbak2POPsiurynlotTnUSRJFWhdA%3D&reserved=0>

    Destination=https://sso.it.utsa.edu/idp/profile/SAML2/Redirect/SSO <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsso.it.utsa.edu%2Fidp%2Fprofile%2FSAML2%2FRedirect%2FSSO&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788286275%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hlQ1kWwF3ybDP%2Bs6vHO%2BnpcOFOQE5UDeqNbIIebP9U0%3D&reserved=0>

    ID="_d0fd17d8c3c271dd00e5" IssueInstant="2022-10-27T20:11:37.505Z"

    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://host.someissuer.com/</saml:Issuer <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhost.someissuer.com%2F%253c%2Fsaml%3AIssuer&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788286275%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DjJ3QDgRmAi9QDaKBcpT7m7dKi4niGIi3wn%2F3sfwrrw%3D&reserved=0>>

    <samlp:NameIDPolicy AllowCreate="true"

        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"/>

    <samlp:RequestedAuthnContext Comparison="exact" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

    </samlp:RequestedAuthnContext>

</samlp:AuthnRequest>

2022-10-27 15:11:46,760 - WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:277] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828
 - Message Handler:  Simple signature validation (with no request-derived credentials) failed

2022-10-27 15:11:46,761 - WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:214] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828
 - Message Handler:  Validation of request simple signature failed for context issuer:

https://host.someissuer.com/ <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhost.someissuer.com%2F&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788442498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2hw1WOI6w1uBxDV0BVRxFdQtGT8proecqUoyFCVBBys%3D&reserved=0>

2022-10-27 15:11:46,762 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - Profile Action WebFlowMessageHandlerAdaptor:
 Exception handling message

org.opensaml.messaging.handler.MessageHandlerException: Validation of request simple signature failed for context issuer

        at org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler.doEvaluate(BaseSAMLSimpleSignatureSecurityHandler.java:216)

2022-10-27 15:11:46,765 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - A non-proceed event occurred while processing
 the request: MessageAuthenticationError

Any help diagnosing is appreciated.  Thanks.

--

For Consortium Member technical support, see 
https://shibboleth.atlassian.net/wiki/x/ZYEpPw <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7CDoug.Wismer%40ellucian.com%7Cb709b61ce0ce40148ee008dab9186b7a%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C638025811788442498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7luTDebfVO0yWdyMm9fyT54k2EMqGdu0y1C%2Ffgzsiak%3D&reserved=0>

To unsubscribe from this list send an email to 
users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>

--

For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list