Error incorrect signature on SAML Assert
See original GitHub issueI am getting an “incorrect signature” error on SAML POST response hitting the assert endpoint. I traced it down in samlify source to this code in entity.ts:
// verify the signatures (for both assertion/message)
if (!libsaml.verifySignature(res, {
cert: opts.from.entityMeta,
signatureAlgorithm: opts.from.entitySetting.requestSignatureAlgorithm,
})) {
throw new Error('incorrect signature');
}
But when I check my response using this service: https://www.samltool.com/validate_response.php everything seems to validate fine. How can I debug this further?
Issue Analytics
- State:
- Created 6 years ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Signature/Certificate errors - SAML Single Sign On - resolution
The most occurring reason for this error is because the wrong token signing certificate is used. Please check if the right certificate from...
Read more >'The signature in the response is not valid' error in SAML ...
The SAML validator tool can validate SAML responses in plain text or base 64 encoded. The referenced error may occur if the SAML...
Read more >How to debug an Invalid Signature on SAML Response
invalid signature can mean you don't have the public key certificate of the IdP so you can't validate its signature. Or possibly the...
Read more >Received invalid SAML response: Signature validation failed ...
The SAML module that Confluence is using is expecting only the assertion portion of the SAML response to be signed.
Read more >SAML Assertion signature is invalid - Auth0 Community
SAML Assertion signature is invalid · No changes have been made to the settings for both Auth0 and other services. · The majority...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@tngan I traced down the issue to being a mismatch on the digest value. The calculated digest of the canonized assertion does not match the value in the signature. This part of the code is in the xml-crypto library.
In the verifySignature method when using xml-crypto and calling checkSignature you can get the validationErrors. This helped me figure out the issue is with the digest value mismatch.
Still trying to figure out if it is an issue with how the assertion is canonized.
@hammadzz
Another possibility is the order of signature, in case if you have encryption in saml assertion as well, default is
sign-then-encrypt
, but most likely it would beencrypt-then-sign
.Any tips on what can be done to debug this further. Is samltool.com wrong or the library has a bug?
samltool.com is good enough. I cannot tell whether samlify has bug or configuration mistake at this stage until I know the exact problem, would you like to set up a sample repository then we can take a look deeply. Please send an email to
passify.io@gmail.com
if something you don’t want to expose here.