Invalid Signature Error in SAML.validateResponse

[iamakimmer]

Did something change in Azure regarding handling the token information?

All of a sudden I'm getting an error in the callback. It's been working fine for a wihle, but today I'm failing in the post callback:

app.post('/login/callback', passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }), function(req, res) { res.redirect('/'); });

returns:

500 Error: Invalid signature at SAML.validateResponse (/test/node_modules/passport-azure-ad/lib/passport-azure-ad/wsfedsaml.js:103:21) at Strategy._doAuthenticate (/test/node_modules/passport-azure-ad/lib/passport-azure-ad/wsfedstrategy.js:109:16) at Strategy.authenticate (/test/node_modules/passport-azure-ad/lib/passport-azure-ad/wsfedstrategy.js:95:10) at attempt (/test/node_modules/passport/lib/passport/middleware/authenticate.js:243:16) at Passport.authenticate (/test/node_modules/passport/lib/passport/middleware/authenticate.js:244:7)

Just to be sure I created a new AD with new endpoints and new app from the tutorial (https://github.com/MSOpenTech/AzureAD-Node-Sample/wiki/Windows-Azure-Active-Directory-WebSSO-using-WS-Federation-with-passport.js)

[RandalliLama]

Do you have the latest version of the package: 0.0.2 https://npmjs.org/package/passport-azure-ad

[iamakimmer]

Yes, and I'm using just the example
https://github.com/MSOpenTech/passport-azure-ad/tree/master/examples/login-wsfed

I only changed the identityProviderUrl and identityMetadata config. The user is authenticated, goes into my post login/callback, but fails with that exception. Logout works fine and redirects back to the home page. If I put in the wrong passport or an inactive user, it lets me know so I know I'm putting in the correct login info.

My Azure AD settings:

APP URL: http://localhost:3000 APP ID URI: http://localhost:3000 REPLY URL: http://localhost:3000/login/callback

Are my AD settings correct for this example?

[RandalliLama]

It's a bug in lib/passport-azure-ad/metadata.js:94.

The metadata document returns multiple certs, but the metadata parser only looks at the first one. It should return all of them.

There is a second bug in lib/passport-azure-ad/wsfedsaml.js:103

Signature validation is only attempted using the first cert in the parsed collection. It should be attempted with each of them until one passes or they all fail.

I'll work on getting this fixed over the next week.

[iamakimmer]

Thank you!! Was is something that was changed recently? I could have sworn I had it working in December, but I may have just been logged in the whole time without re-logging in. My subscription also expired on Jan 1 and did not know if that was related.

On Fri, Jan 3, 2014 at 12:22 AM, Rich Randall notifications@github.comwrote:

It's a bug in lib/passport-azure-ad/metadata.js:94.

The metadata document returns multiple certs, but the metadata parser only looks at the first one. It should return all of them.

There is a second bug in lib/passport-azure-ad/wsfedsaml.js:103

Signature validation is only attempted using the first cert in the parsed collection. It should be attempted with each of them until one passes or they all fail.

I'll work on getting this fixed over the next week.

— Reply to this email directly or view it on GitHubhttps://github.com/MSOpenTech/passport-azure-ad/issues/6#issuecomment-31506063 .

[RandalliLama]

I sure it worked for you. If the order if the certs in the metadata document was reversed it would have continued to work. However, the certs change on a regular basis and it is up to chance whether the right cert is in the first slot or not, and that's the only one that is being checked by the code.

[iamakimmer]

I put in a pull request as I wanted to try to fix this on my own. The authentication is working for me now. https://github.com/MSOpenTech/passport-azure-ad/pull/7

[iamakimmer]

Closing, duplicate of #7