The request cannot be fulfilled because the message received does not meet the security requirements of the login service

Nate Klingenstein ndk at sudonym.me
Fri Oct 28 19:12:42 UTC 2022 

Doug,

It looks like the vendor is signing authentication requests, which is of
dubious value for most cases.  The signature won't show up in the XML with
the HTTP-Redirect binding; it should be present in the URL.

You have two options: get the vendor to stop signing authentication
requests if it adds no value in your scenario, or make sure that the
signature is calculated correctly and that the corresponding public key is
present in their metadata with use="signing" or no use listed.

I would be a little suspicious if you're using their vouched-for metadata
and signature validation is still failing.  If they're doing everything
right, that shouldn't be happening.

Hope this helps,
Nate

On Fri, Oct 28, 2022 at 1:00 PM Wismer, Doug via users <users at shibboleth.net>
wrote:

> Trying to find the reason for this error.  “The request cannot be
> fulfilled because the message received does not meet the security
> requirements of the login service”
>
>
>
> The Metadata config has been checked and is per the vendor’s
> recommendation.
>
>
>
> Not seeing errors, but warnings.
>
>
>
> 2022-10-27 15:11:46,668 - DEBUG [PROTOCOL_MESSAGE:127] - 123.123.123.123 -
> node01ac1xhe309ceqenezc35zwf2k394828 -
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <samlp:AuthnRequest
>
>     AssertionConsumerServiceURL=
> https://somesp.somesp.com/saml-prodtest/token
>
>     Destination=https://sso.it.utsa.edu/idp/profile/SAML2/Redirect/SSO
>
>     ID="_d0fd17d8c3c271dd00e5" IssueInstant="2022-10-27T20:11:37.505Z"
>
>     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
>     Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
>
>     <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
> https://host.someissuer.com/</saml:Issuer>
>
>     <samlp:NameIDPolicy AllowCreate="true"
>
>         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"/>
>
>     <samlp:RequestedAuthnContext Comparison="exact"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
>
>         <saml:AuthnContextClassRef
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
>
>     </samlp:RequestedAuthnContext>
>
> </samlp:AuthnRequest>
>
>
>
> 2022-10-27 15:11:46,760 - WARN
> [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:277]
> - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - Message
> Handler:  Simple signature validation (with no request-derived credentials)
> failed
>
> 2022-10-27 15:11:46,761 - WARN
> [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:214]
> - 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - Message
> Handler:  Validation of request simple signature failed for context issuer:
> https://host.someissuer.com/
>
> 2022-10-27 15:11:46,762 - WARN
> [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] -
> 123.123.123.123 - node01ac1xhe309ceqenezc35zwf2k394828 - Profile Action
> WebFlowMessageHandlerAdaptor: Exception handling message
>
> org.opensaml.messaging.handler.MessageHandlerException: Validation of
> request simple signature failed for context issuer
>
>         at
> org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler.doEvaluate(BaseSAMLSimpleSignatureSecurityHandler.java:216)
>
> 2022-10-27 15:11:46,765 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - 123.123.123.123 -
> node01ac1xhe309ceqenezc35zwf2k394828 - A non-proceed event occurred while
> processing the request: MessageAuthenticationError
>
>
>
> Any help diagnosing is appreciated.  Thanks.
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221028/761cae49/attachment.htm>

More information about the users mailing list