Strange issue with Redirect endpoint and simple signing

[Mark McCoy]

We are integrating a new app to our IdP and are having an issue with the SimpleSignature on the Redirect endpoint.

The SP sends an AuthRequest as usual, and in the HTTP request is the SimpleSignature, which is normal and we have other SPs that do this. Our issue is that every time we test, we get a WARN in the IDP process log saying that the "Simple signature validation (with no request-derived credentials) failed" and then the final error "Validation of request simple signature failed for context issuer" and the IdP displays an error message to the user, ending the conversation.

We've tested various combinations of the AuthRequestSigned=true/false in their metadata, cutting and pasting certificates back and forth, etc. (the standard troubleshooting that we would normally do). The vendor does not normally test against Shibboleth (they have their own IdP that they support) but they stood up an instance of Shibboleth in a default configuration and made the changes that they have published on their documentation site to integrate their application with Shibboleth. They cannot replicate the issue in their lab, and they report that they have customers using this product with a Shibboleth IdP.

We have what we would consider a standard out of the box config with only minimal customization (it took us many years even to use a custom template and we stuck with the default template with our logo replacing the default one).

Does anyone have any other avenues of troubleshooting that we can go down?


Mark McCoy

Manager, Enterprise Collaboration Services


The University of Texas at San Antonio

University Technology Solutions

One UTSA Circle

San Antonio, TX 78249-3209

210.458.5871
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221027/580a7a29/attachment.htm>