Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Getting 'Invalid Signature' error on SAML Response. XML digests do not match
See original GitHub issueWe’re having some issues getting passport-saml setup with an Okta IDP. We are getting a response back from our IDP, but the validation is failing. Our IDP made sure that the signature and digests are done with SHA1. Debugging into the code, (all the way into the XMLCrypto), I’m finding that it is failing when the digests don’t match. If we comment out the assertion validation, we are getting all the expected data so I’m pretty sure that SAML response is formatted properly.
I added in a console.log to get the canonXML that is being hashed for the digest, and the output is this:
<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_73bfe3a75de08316ce83cb05534a91aa2837" IssueInstant="2015-03-16T21:50:22Z" Version="2.0">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">REDACTED</ns2:Issuer>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">REDACTED</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns2:SubjectConfirmationData NotOnOrAfter="2015-03-16T21:51:51Z" Recipient="https://REDACTED"></ns2:SubjectConfirmationData>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2015-03-16T21:49:51Z" NotOnOrAfter="2015-03-16T21:51:51Z">
<ns2:AudienceRestriction>
<ns2:Audience>REDACTED</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2015-03-16T21:22:30Z" SessionIndex="rqRyLqemlvvu9A3OE9la6I1Z8iY=RgRbeg==" SessionNotOnOrAfter="2015-03-16T21:51:51Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>REDACTED</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>REDACTED</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>
One thing that concerns is me the ’ ’ line endings, yet in the console we are also getting the line feeds and other whitespace. I know next to nothing about XML canonicalization, but I’m wondering if the CRLFs in the SAML Response are not being properly transformed into the Canon XML for hashing.
Another thing we’re wondering is if our configuration on the provider side has anything to do with digest and signature (aside from the cert). For example, all the code examples we’ve seen have ‘passport-saml’ as the issuer, but we used our own issuer that we created basically at random and gave to our IDP. We assumed that was just a placeholder for our own issuer.
Unfortunately, my team isn’t in charge of the IDP so we don’t really have much control over it, and we’re also the first in our org to try to use Node.js with SAML, so we’re treading new ground with our SAML team to get this working.
Issue Analytics
- State:
- Created 9 years ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@archa347 How did your follow-up with
xml-cryptogo? That project doesn’t keep a Changelog, so it’s hard to tell if there have been an related fixes toxml-crypto. If so, it could be a good idea to version-bump the dependency thatpassport-samlrequires.Start by checking out the passport SAML source code.
On Tue, Jan 2, 2018, 1:55 AM akash-goel notifications@github.com wrote: