Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Getting "Signature validation failed. SAML Response rejected"

See original GitHub issue

I’m getting the following error when trying to process a IdP-initiated SAML2 response using python-saml and flask:

Signature validation failed. SAML Response rejected

I’m following the example here. My code is:

url_data = urlparse(request.url)
req = {
    "https": "on",
    "http_host": request.host,
    "server_port": url_data.port,
    "script_name": request.path,
    "get_data": request.args.copy(),
    "post_data": request.form.copy()
}
auth = OneLogin_Saml2_Auth(req, custom_base_path=app.config['SAML_PATH'])
auth.process_response()

In SAML_PATH, I have the following in my settings.json file:

{
    "strict": false,
    "debug": true,
    "sp": {
        "entityId": "[spEntityId]",
        "assertionConsumerService": {
            "url": "[acsUrl]",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        },
        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
        "x509cert": "[x509cert]",
        "privateKey": "[privateKey]"
    },
    "idp": {
        "entityId": "[idpEntityId]",
        "singleSignOnService": {
            "url": "http://dummy.com/saml2",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "singleLogoutService": {
            "url": "http://dummy.com/saml2",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "x509cert": "[x509cert]"
    },
    "security": {
        "nameIdEncrypted": false,
        "authnRequestsSigned": false,
        "logoutRequestSigned": false,
        "logoutResponseSigned": false,
        "signMetadata": false,
        "wantMessagesSigned": true,
        "wantAssertionsSigned": true,
        "wantNameIdEncrypted": false,
        "requestedAuthnContext": false
    }
}

As you can see, I’m using dummy values for the IdP singleSignOnService and singleLogoutService URLs. I don’t think I need them in my case as I just need to process the SAML Response, but I’m not completely sure about that. The response has a signed message and encrypted assertion:

    <?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="[Destination]" ID="[ID]" IssueInstant="2015-11-30T15:35:02.702Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        [Issuer]
    </saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="[ID]" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey Id="[ID]" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
                    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:CipherValue>
                            [CipherValue]
                        </xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>
                    [CipherValue]
                </xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml2:EncryptedAssertion>
</saml2p:Response>

I’ve verified that the x509cert and privateKey are correct. I’m new to SAML2, so I’m hoping it’s something simple 😃 Thank you in advance and please let me know if you need more information.

Issue Analytics

State:
Created 8 years ago
Comments:17 (5 by maintainers)

Top GitHub Comments

1reaction

poojatedcommented, Mar 23, 2020

my response is validated on Samltool.com still after sending i got the error Signature validation issue. can anyone tell me what could be the issue I split my X509Certificate into 64 character lines. This could be the issue?

1reaction

pitbulkcommented, Dec 11, 2015

The Signature element does not include a KeyInfo element , currently required by the Toolkit: https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/utils.py#L927

In the ruby-saml toolkit I removed this requirement: https://github.com/onelogin/ruby-saml/commit/3c9dd5eec80da8cb805fb41a059913f718211908

so I plan to avoid this requirement on the rest of toolkits, but can’t say to you how long it will take, so try to set the IdP to include that KeyInfo element.