Simple signature validation

Mak, Steven makst at
Wed Oct 12 22:41:39 UTC 2022

There may be other things you can look at, such as HTTP method and signature "location" incompatibility.

I've had to switch vendors over to our HTTP-POST login endpoint because they weren't able to move the signature from where their code put it. Sometimes it needs to be a parameter, sometimes it needs to be embedded in the XML. I don't know the exact rules.

- Steve

From: users <users-bounces at> on behalf of Steve Herrera via users <users at>
Date: Wednesday, October 12, 2022 at 6:38 PM
To: IAM David Bantz <dabantz at>
Cc: Steve Herrera <sherrera at>, Shib Users <users at>
Subject: Re: Simple signature validation
The SP has a portal where I submit the certificate and generate it's metadata. That's what I put in our IDP. There techs said that is the certificate used to sign the request.
On Wed, Oct 12, 2022, 5:22 PM IAM David Bantz <dabantz at<mailto:dabantz at>> wrote:
If I understand your description correctly, it kinda doubles down on the diagnosis that the signing cert in the SP’s metadata is not the cert with which they signed the request (hence preventing the use of that cert to validate the signed request). You substituted a cert of your own in the metadata to produce “Same result”: that substituted cert certainly wasn’t used by the SP to sign the request, and that condition triggers exactly the error you document.

Apologies if I misread your description.


On 12Oct2022 at 13:57:13, Steve Herrera via users <users at<mailto:users at>> wrote:
This is the first SP that we have come across error messages like this.

2022-10-12 16:42:06,582 - WARN [] - Message Handler:  Simple signature validation (with no request-derived credentials) failed

2022-10-12 16:42:06,583 - WARN [] - Message Handler:  Validation of request simple signature failed for context issuer:

2022-10-12 16:42:06,583 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:197] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message

org.opensaml.messaging.handler.MessageHandlerException: Validation of request simple signature failed for context issuer

I have searched the forum and one explanation was the certificate the SP provided was incorrect from the metadata received. I reviewed that and it is the same. I have the ability to configure the certificate that this SP provides in their metadata and generated a new certificate. Same result. I worked with their SAML techs and they made some minor changes on their end. They said they are using OpenSAML 3.3.1

This is the error when going to the URL for the SP:

The request cannot be fulfilled because the message received does not meet the security requirements of the login service.

The logon page is never displayed.

For Consortium Member technical support, see<;!!IBzWLUs!Uh8wFlfuc978oQXmKDKiX67R9IR7ITEq7a6VXdqacXXM_w0c0r2olxqLQ1Ig13ugysZOVEz1W5OEENUQ$>
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list