Simple signature validation
Steve Herrera
sherrera at fsmail.bradley.edu
Wed Oct 12 22:37:37 UTC 2022
The SP has a portal where I submit the certificate and generate it's
metadata. That's what I put in our IDP. There techs said that is the
certificate used to sign the request.
On Wed, Oct 12, 2022, 5:22 PM IAM David Bantz <dabantz at alaska.edu> wrote:
> If I understand your description correctly, it kinda doubles down on the
> diagnosis that the signing cert in the SP’s metadata is not the cert with
> which they signed the request (hence preventing the use of that cert to
> validate the signed request). You substituted a cert of your own in the
> metadata to produce “Same result”: that substituted cert certainly wasn’t
> used by the SP to sign the request, and that condition triggers exactly the
> error you document.
>
> Apologies if I misread your description.
>
> David
>
> On 12Oct2022 at 13:57:13, Steve Herrera via users <users at shibboleth.net>
> wrote:
>
>> This is the first SP that we have come across error messages like this.
>>
>> 2022-10-12 16:42:06,582 - WARN
>> [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:275]
>> - Message Handler: Simple signature validation (with no request-derived
>> credentials) failed
>>
>>
>> 2022-10-12 16:42:06,583 - WARN
>> [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:214]
>> - Message Handler: Validation of request simple signature failed for
>> context issuer:
>>
>>
>> 2022-10-12 16:42:06,583 - WARN
>> [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:197] -
>> Profile Action WebFlowMessageHandlerAdaptor: Exception handling message
>>
>> org.opensaml.messaging.handler.MessageHandlerException: Validation of
>> request simple signature failed for context issuer
>>
>>
>> I have searched the forum and one explanation was the certificate the SP
>> provided was incorrect from the metadata received. I reviewed that and it
>> is the same. I have the ability to configure the certificate that this SP
>> provides in their metadata and generated a new certificate. Same result. I
>> worked with their SAML techs and they made some minor changes on their end.
>> They said they are using OpenSAML 3.3.1
>>
>>
>> This is the error when going to the URL for the SP:
>>
>> The request cannot be fulfilled because the message received does not
>> meet the security requirements of the login service.
>>
>>
>> The logon page is never displayed.
>>
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221012/de07b8f8/attachment.htm>
More information about the users
mailing list