Simple signature validation
IAM David Bantz
dabantz at alaska.edu
Wed Oct 12 22:22:53 UTC 2022
If I understand your description correctly, it kinda doubles down on the
diagnosis that the signing cert in the SP’s metadata is not the cert with
which they signed the request (hence preventing the use of that cert to
validate the signed request). You substituted a cert of your own in the
metadata to produce “Same result”: that substituted cert certainly wasn’t
used by the SP to sign the request, and that condition triggers exactly the
error you document.
Apologies if I misread your description.
David
On 12Oct2022 at 13:57:13, Steve Herrera via users <users at shibboleth.net>
wrote:
> This is the first SP that we have come across error messages like this.
>
> 2022-10-12 16:42:06,582 - WARN
> [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:275]
> - Message Handler: Simple signature validation (with no request-derived
> credentials) failed
>
>
> 2022-10-12 16:42:06,583 - WARN
> [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:214]
> - Message Handler: Validation of request simple signature failed for
> context issuer:
>
>
> 2022-10-12 16:42:06,583 - WARN
> [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:197] -
> Profile Action WebFlowMessageHandlerAdaptor: Exception handling message
>
> org.opensaml.messaging.handler.MessageHandlerException: Validation of
> request simple signature failed for context issuer
>
>
> I have searched the forum and one explanation was the certificate the SP
> provided was incorrect from the metadata received. I reviewed that and it
> is the same. I have the ability to configure the certificate that this SP
> provides in their metadata and generated a new certificate. Same result. I
> worked with their SAML techs and they made some minor changes on their end.
> They said they are using OpenSAML 3.3.1
>
>
> This is the error when going to the URL for the SP:
>
> The request cannot be fulfilled because the message received does not meet
> the security requirements of the login service.
>
>
> The logon page is never displayed.
>
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221012/5f94f59b/attachment.htm>
More information about the users
mailing list