Open duybinh0208 opened 9 years ago
After set option {allow_unencrypted_assertion: true} I have passed that error but another error occurs: "Error: SAML Assertion signature check failed! (checked 1 certificate(s))". I do not know if there is any issue with my SAML Response or not? Here is my SAMLResponse: https://www.dropbox.com/s/qro92voq59qrkke/SAMLResponse.xml?dl=0
Anyone can check this? Thanks.
By default, SAML responses must be encrypted so if you wish to use unencryped ones, you must set allow_unencrypted_assertion
to true.
To pass the signature check, the certificate must be set on creation of the IdentityProvider. In the example in the README, two are read from certificate files. For the SAMLResponse you posted, the certificate is the data between the <ds:X509Certificate>
tags.
Hi Jefff, thanks for your reply.
Firstly, I do not know why the error "Error: Expected 1 EncryptedAssertion; found 0" is happened because I can get the SAMLResponse but I cannot pass that error unless set option {allow_unencrypted_assertion: true}.
Secondly, after pass that error by using allow_unencrypted_assertion I cannot pass the validate references. An error occurs "Error: SAML Assertion signature check failed! (checked 2 certificate(s))". I did try to debug inside the saml2 library and see that it is stuck in validateReferences function which is located in "node_modules\saml2-js\node_modules\xml-crypto\lib\signed-xml.js". It shows that there is a difference between digest and ref.digestValue.
Finally, I attached my whole source code here. It is so great if you can help me to identify the error.
Source code: https://www.dropbox.com/s/pnl2n8ji8bkhcsu/debug%20saml2-js.zip?dl=0
Thank you.
Interesting. Your code appears to be correct but the signature being generated doesn't match. Digging deeper, I found the bug was in the xml-crypto library and related to missing namespaces during the canonicalization process (tracked here). It's specifically related to the fact that the saml
namespace is defined in the Response
but then used in the Assertion
.
Thanks for the report. This is the first time we've encountered this in a SAML Response.
Hi Jefff, thanks for your reply. I am waiting for your update. Please let me know if the bug is fixed.
Hi Jeff , I followed the steps given in the document to deploy node app to use SAML based authentication. I'm in the same like others mentioned , got stuck at validateReference ( SAML Assertion signature check failed! (checked 1 certificate(s)) ) - digest != ref.diegestvalue. I tried to search in google last 2 days for a solution , but didn't get any links to solve this issue. I would really appreciate if you can post a solution for this issue. BTW I did set allow_unencrypted_assertion to true and somewhere I noticed a link to use xmlcrypto 0.1.25 , I tried that as well . Please share your thoughts reg this issue.
I understand everyone is busy , much obliged if anyone has solution for this issue. I'm still looking out other options , but this code is clear and user friendly , that is why I want to use this process for SAML auth
@pswamikr Can you try to update xml-crypto to the latest version ? And also what is the Transform Algorithm ?
hi team any update on this seems like its still pending
I am also encountering this error (Error: SAML Assertion signature check failed! (checked 1 certificate(s))). When I further dig through the codes, the error is at the verifySignature (signed-xml.js). Invoking the .verify returns false. The XML crypto used in the latest one 0.10.1.
I have tried to use the saml tool online https://www.samltool.com/validate_response.php and it did specify that the saml response is valid. Can someone help me verify the mapping of the inputs in samltool as against the sp/idp options for saml2?
SAML tool --SP/IDP Options IdP EntityId-- do not see entityId in the idp options. Does this matter? SP EntityId-- used this in SP entityId and audience. SP Attribute Consume Service Endpoint --Is it sp options assert_endpoint? (Tried adding and removing this but no luck) Target URL, Destination of the Response--Is it necessary in idp options?
Is the sp options required to be empty? I asked because I noticed that the solution in https://github.com/Clever/saml2/issues/106 is passing empty sp options. But a few options are needed for my SP like notbefore_skew and audience.
Please help! I have been spending a few days on this already. :( Thanks.
I am also experiencing this issue:
Error: Expected 1 Assertion or 1 EncryptedAssertion; found 0
upon the sp.post_assert call. This code was working 2 days ago.
also I have
allow_unencrypted_assertion: true,
in my sp_options
@kogden I am facing the same issue. Were you able to resolve it?
Hi, I try to do the SSO and can get the SAMLResponse in the req.body when perform method post /assert but there is an error like this: "Error: Expected 1 EncryptedAssertion; found 0". I use the example "Express implementation" in web page "https://www.npmjs.com/package/saml2-js". Please let me know if we have any idea for this problem.
Thanks