Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
<ds:Signature> data not coming in saml request
See original GitHub issueI am using java onelogin toolkit in my project. I am able to send the SAML request and is getting response But only thing which is not working for me is that the signed SAML request is not coming. Please help.
If 'strict' is True, then the Java Toolkit will reject unsigned
or unencrypted messages if it expects them signed or encrypted
Also will reject the messages if not strictly follow the SAML
onelogin.saml2.strict = true
Enable debug mode (to print errors)
onelogin.saml2.debug = true
Identifier of the SP entity (must be a URI)
onelogin.saml2.sp.entityid = https://installs.mycompany.com/start/metadata.jsp
Specifies info about where and how the message MUST be
returned to the requester, in this case our SP.
URL Location where the from the IdP will be returned
onelogin.saml2.sp.assertion_consumer_service.url = http://installs.mycompany/start/login.jsp
SAML protocol binding to be used when returning the
message. Onelogin Toolkit supports for this endpoint the
HTTP-POST binding only
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Specifies info about where and how the message MUST be
returned to the requester, in this case our SP.
onelogin.saml2.sp.single_logout_service.url = http://installs.mycompany/start/Logout.jsp
SAML protocol binding to be used when returning the or sending the
message. Onelogin Toolkit supports for this endpoint the
HTTP-Redirect binding only
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Specifies constraints on the name identifier to be used to
represent the requested subject.
Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Usually x509cert and privateKey of the SP are provided by files placed at
the certs folder. But we can also provide them with the following parameters
onelogin.saml2.sp.x509cert = MIIDyzCCArKgA..................
Requires Format PKCS#8 BEGIN PRIVATE KEY
If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
onelogin.saml2.sp.privatekey = MIIEwQI................
Identity Provider Data that we want connect with our SP
Identifier of the IdP entity (must be a URI)
onelogin.saml2.idp.entityid = https://testIdp.com/
SSO endpoint info of the IdP. (Authentication Request protocol)
URL Target of the IdP where the SP will send the Authentication Request Message
onelogin.saml2.idp.single_sign_on_service.url = https://testIdp/nidp/saml2/sso
SAML protocol binding to be used when returning the
message. Onelogin Toolkit supports for this endpoint the
HTTP-Redirect binding only
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
SLO endpoint info of the IdP.
URL Location of the IdP where the SP will send the SLO Request
onelogin.saml2.idp.single_logout_service.url =
Optional SLO Response endpoint info of the IdP.
URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
onelogin.saml2.idp.single_logout_service.response.url =
SAML protocol binding to be used when returning the
message. Onelogin Toolkit supports for this endpoint the
HTTP-Redirect binding only
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Public x509 certificate of the IdP
onelogin.saml2.idp.x509cert = MIIFJDCC..................
Instead of use the whole x509cert you can use a fingerprint
(openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
or add for example the -sha256 , -sha384 or -sha512 parameter)
If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
'sha1' is the default value.
onelogin.saml2.idp.certfingerprint = 14:F3:42:DC:0A:DF:8A:6A:F8:6E:E3:F7:06:47:11:46:A9:2B:0A:73
onelogin.saml2.idp.certfingerprint_algorithm = sha256
Security settings
Indicates that the nameID of the samlp:logoutRequest sent by this SP
will be encrypted.
onelogin.saml2.security.nameid_encrypted = true
Indicates whether the samlp:AuthnRequest messages sent by this SP
will be signed. [The Metadata of the SP will offer this info]
onelogin.saml2.security.authnrequest_signed = true
Indicates whether the samlp:logoutRequest messages sent by this SP
will be signed.
onelogin.saml2.security.logoutrequest_signed = false
Indicates whether the samlp:logoutResponse messages sent by this SP
will be signed.
onelogin.saml2.security.logoutresponse_signed = false
Sign the Metadata
Empty means no signature, or comma separate the keyFileName and the certFileName
onelogin.saml2.security.want_messages_signed =
Indicates a requirement for the samlp:Response, samlp:LogoutRequest and
samlp:LogoutResponse elements received by this SP to be signed.
onelogin.saml2.security.want_assertions_signed = true
Indicates a requirement for the Metadata of this SP to be signed.
Right now supported null (in order to not sign) or true (sign using SP private key)
onelogin.saml2.security.sign_metadata = false
Indicates a requirement for the Assertions received by this SP to be encrypted
onelogin.saml2.security.want_assertions_encrypted = false
Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid_encrypted = false
Authentication context.
Set Empty and no AuthContext will be sent in the AuthNRequest,
Set comma separated values urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
#onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Indicates if the SP will validate all received xmls.
(In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
onelogin.saml2.security.want_xml_validation = true
Algorithm that the toolkit will use on signing process. Options:
'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha256
Generated Saml request as below:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_50826410-f003-4df5-854a-6440b185c628"
Version="2.0" IssueInstant="2018-01-18T06:50:30Z"
Destination="https://testIdp.com/nidp/saml2/sso"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://installs.mycompany/dpc/start/login.jsp">
saml:Issuerhttps://installs.mycompany/start/metadata.jsp</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:11 (5 by maintainers)
Top Results From Across the Web
<ds:Signature> data not coming in saml request #141 - GitHub
Idp is complaining, for missing ds:Signature info in the SAML is request. As per them, the request is not signed. In previous comment...
Read more >Received invalid SAML response: Signature validation failed ...
Problem. After setting up SAML using the built-in SAML plugin in Confluence Data Center, your users are unable to authenticate and login and ......
Read more >How to verify a SAML signature for HTTP-redirect binding
Verify the digital signature: Verify using the public key of the SP that the signature match with the signed message to ensure the...
Read more >Sending sample AuthnRequest to IDP not working - ComponentSpace
Hi All, I am very new to component space i want to use component space to send ver simple signed saml file to...
Read more >Why did my SAML authentication request fail? - IBM Cloud Docs
This error occurs when App ID cannot verify the signature that is sent by SAML. To resolve the issue, verify that you have...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@mandeep5299 The AuthNRequest is sent using the HTTP-Redirect binding so the signature is not embed inside the AuthNRequest element, instead is sent as a Signature GET parameter.
@mandeep5299 if you have a new issue on java-saml you should create a new one instead of reply on other not related issue thread.
java-saml is not listed on that report because was not vulnerable.