search

SAML-Toolkits / php-saml

Simple SAML toolkit for PHP
MIT License
1.23k stars 473 forks source link

Signature validation failed. SAML Response rejected #117

Closed AndrewECooper closed 8 years ago

AndrewECooper commented 8 years ago

I'm getting the error in the title above from php-saml. I've set up a SimpleSamlPHP IdP on the same server as my SP application using php-saml. The IdP is for testing IdP responses on my dev machine.

My SP metadata looks like this...

{
  "sp": {
    "entityId": "https://biz.dev.originsystems.co.za/metadata.php",
    "assertionConsumerService": {
      "url": "https://biz.dev.originsystems.co.za/?acs"
    },
    "singleLogoutService": {
      "url": "https://biz.dev.originsystems.co.za/?slo"
    },
    "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"
  },
  "idp": {
    "entityId": "https://idp.dev.originsystems.co.za/simplesaml/saml2/idp/metadata.php",
    "singleSignOnService": {
      "url": "https://idp.dev.originsystems.co.za/simplesaml/saml2/idp/SSOService.php"
    },
    "singleLogoutService": {
      "url": "https://idp.dev.originsystems.co.za/simplesaml/saml2/idp/SingleLogoutService.php"
    },
    "x509cert": "MIIEFzCCAv+gAwIBAgIJAMViOtTmomR+MA0GCSqGSIb3DQEBCwUAMIGhMQswCQYDVQQGEwJaQTEZMBcGA1UECAwQV2VzdGVybiBQcm92aW5jZTESMBAGA1UEBwwJQ2FwZSBUb3duMSkwJwYDVQQKDCBPcmlnaW4gRHluYW1pYyBTeXN0ZW1zIChQdHkpIEx0ZDESMBAGA1UECwwJVGVjaG5pY2FsMSQwIgYDVQQDDBtpZHAuZGV2Lm9yaWdpbnN5c3RlbXMuY28uemEwHhcNMTYwMzAzMjEwNjIxWhcNNDMwNzIwMjEwNjIxWjCBoTELMAkGA1UEBhMCWkExGTAXBgNVBAgMEFdlc3Rlcm4gUHJvdmluY2UxEjAQBgNVBAcMCUNhcGUgVG93bjEpMCcGA1UECgwgT3JpZ2luIER5bmFtaWMgU3lzdGVtcyAoUHR5KSBMdGQxEjAQBgNVBAsMCVRlY2huaWNhbDEkMCIGA1UEAwwbaWRwLmRldi5vcmlnaW5zeXN0ZW1zLmNvLnphMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6E52mBf0Bite7l+ztqmrnpMha1N/OcPTz0VO+3CZ+4GGuyD6BJFpymFPWhJVEboPuAoJMjTp0XPxgUPcydF15p11MsIp3tIij9SOM/1IGteSzrV8ka3C1vdQoTkFSeUXI+Hd14+q8fDFk6LppaTLxB0X7JjRwlBWFxxUwjc2CpTqT3VPrgMDgf9cY0p2ZIEn3ZDGZaFQXVsQN//QSIp6My1vGUzuA2WHdne96KuVa2AAz/jqOiOL+Gx+DyLgfI7moVHNDpuhLs/b1Ucf5wz4PZtnXu+pl8GD3qBAwSZNk/7fI4xouBpKdojmiqx+2mtZAoA8nqyusnA1S29TWgWmQIDAQABo1AwTjAdBgNVHQ4EFgQUpRS4+FickbWaXNc8uvTtr2e5RIMwHwYDVR0jBBgwFoAUpRS4+FickbWaXNc8uvTtr2e5RIMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQy197JhM5llSReJZ6v9+7/s9iMxoE1lMglIAW4l5Tny0p2iGG0Unn2OyrwarpHaUTh7zlbQADi+XQAUqmFNeskm3z0bzpEyQ3zeY8bH/DJyCgzH90xFskqor+s/UXI1XT40H2HVEVe1XxSO17TwmClJIS1D/kHauIV5K5Mt4vsZD/0H5Rs0JQw2FYo9N3lAurLdQluWdGDmPFnl5036EtNtNEP+8SRaa8t9jQGYZ6reWg8D9BWn2awepG5zM+mgQcGGnBk3aFAC9Eg98nigtvuTzuxPQg8nwM3bpx0n1OgBCZ2KE17rVqWYji8dfg7Cc6sJuj6/vRzE34FripmMxPA=="
  }
}

I spit that out with a json_encode but it is in an array in PHP. The response I'm getting back from the IdP is...

<samlp:response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" id="_dae23f8b1e7f18b7d122099f0c8cfce6c5b42c16fd" version="2.0" issueinstant="2016-03-03T21:38:12Z" destination="https://biz.dev.originsystems.co.za/?acs" inresponseto="ONELOGIN_45cf1177d3a8e735a97b0043eadf17b3718e692f">
  <saml:issuer>https://idp.dev.originsystems.co.za/simplesaml/saml2/idp/metadata.php</saml:issuer>
  <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:signedinfo>
      <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
        <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
          <ds:reference uri="#_dae23f8b1e7f18b7d122099f0c8cfce6c5b42c16fd">
            <ds:transforms>
              <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
                <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:transform>
            </ds:transforms>
            <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
              <ds:digestvalue>byFT5BP5a7QZSY6QXPY68XCDZcY=</ds:digestvalue>
            </ds:digestmethod>
          </ds:reference>
        </ds:signaturemethod>
      </ds:canonicalizationmethod>
    </ds:signedinfo>
    <ds:signaturevalue>P9xeellkpmMftMzJu5/lmEB96HJhqVx9o2oSNg8kbb0ejabfDcfp92Z6D4L24sH6LZSHBmp1Vr5CEuF7CfPQF4VflrIJ4hTOoJdzkREokXqr8nXC//94GVOvAnNCM9qjEb1VHFvE6MOWbAr8UYZtAj0ridhyb/KX01/9X3ufDJe5bmhgdS9P2dIqKnoekgTypTZIVsT9u/zxlYfuuBvMEJk7z6YPmWkb8vX1TnYUIpLDMRp3UIP3sVfG2RtprBs/yPO5DCBVJ5CZ2pgs3uIRufoHIgyU2rM8URogaF/oC4XKNoF0/PM7ZCE5M8ohr5m/wZesxfYsI589Euh85uw0Nw==</ds:signaturevalue>
    <ds:keyinfo>
      <ds:x509data>
        <ds:x509certificate>MIIEFzCCAv+gAwIBAgIJAMViOtTmomR+MA0GCSqGSIb3DQEBCwUAMIGhMQswCQYDVQQGEwJaQTEZMBcGA1UECAwQV2VzdGVybiBQcm92aW5jZTESMBAGA1UEBwwJQ2FwZSBUb3duMSkwJwYDVQQKDCBPcmlnaW4gRHluYW1pYyBTeXN0ZW1zIChQdHkpIEx0ZDESMBAGA1UECwwJVGVjaG5pY2FsMSQwIgYDVQQDDBtpZHAuZGV2Lm9yaWdpbnN5c3RlbXMuY28uemEwHhcNMTYwMzAzMjEwNjIxWhcNNDMwNzIwMjEwNjIxWjCBoTELMAkGA1UEBhMCWkExGTAXBgNVBAgMEFdlc3Rlcm4gUHJvdmluY2UxEjAQBgNVBAcMCUNhcGUgVG93bjEpMCcGA1UECgwgT3JpZ2luIER5bmFtaWMgU3lzdGVtcyAoUHR5KSBMdGQxEjAQBgNVBAsMCVRlY2huaWNhbDEkMCIGA1UEAwwbaWRwLmRldi5vcmlnaW5zeXN0ZW1zLmNvLnphMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6E52mBf0Bite7l+ztqmrnpMha1N7/OcPTz0VO+3CZ+4GGuyD6BJFpymFPWhJVEboPuAoJMjTp0XPxgUPcydF15p11MsIp3tIij9SOM/1IGteSzrV8ka3C1vdQoTkFSeUXI+Hd14+q8fDFk6LppaTLxB0X7JjRwlBWFxxUwjc2CpTqT3VPrgMDgf9cY0p2ZIEn3ZDGZaFQXVsQN//QSIp6My1vGUzuA2WHdne96KuVa2AAz/jqOiOL+Gx+DyLgfI7moVHNDpuhLs/b1Ucf5wz4PZtnXu+pl8GD3qBAwSZNk/7fI4xouBpKdojmiqx+2mtZAoA8nqyusnA1S29TWgWmQIDAQABo1AwTjAdBgNVHQ4EFgQUpRS4+FickbWaXNc8uvTtr2e5RIMwHwYDVR0jBBgwFoAUpRS4+FickbWaXNc8uvTtr2e5RIMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQy197JhM5llSReJZ6v9+7/s9iMxoE1lMglIAW4l5Tny0p2iGG0Unn2OyrwarpHaUTh7zlbQADi+XQAUqmFNeskm3z0bzpEyQ3zeY8bH/DJyCgzH90xFskqor+s/UXI1XT40H2HVEVe1XxSO17TwmClJIS1D/kHauIV5K5Mt4vsZD/0H5Rs0JQw2FYo9N3lAurLdQluWdGDmPFnl5036EtNtNEP+8SRaa8t9jQGYZ6reWg8D9BWn2awepG5zM+mgQcGGnBk3aFAC9Eg98nigtvuTzuxPQg8nwM3bpx0n1OgBCZ2KE17rVqWYji8dfg7Cc6sJuj6/vRzE34FripmMxPA==</ds:x509certificate>
      </ds:x509data>
    </ds:keyinfo>
  </ds:signature>
  <samlp:status>
    <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:status>
  <saml:assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" id="_e0a3212c2f47df627a98cae1f118206b8d4bdeb688" version="2.0" issueinstant="2016-03-03T21:38:12Z">
    <saml:issuer>https://idp.dev.originsystems.co.za/simplesaml/saml2/idp/metadata.php</saml:issuer>
    <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:signedinfo>
        <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
            <ds:reference uri="#_e0a3212c2f47df627a98cae1f118206b8d4bdeb688">
              <ds:transforms>
                <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
                  <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:transform>
              </ds:transforms>
              <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
                <ds:digestvalue>1BBzNAFpjrtcWokIJOH8+YiIYkA=</ds:digestvalue>
              </ds:digestmethod>
            </ds:reference>
          </ds:signaturemethod>
        </ds:canonicalizationmethod>
      </ds:signedinfo>
      <ds:signaturevalue>Cnk6hfC47GdpXF+gZVbpsuoMSs6aABqVBkDDrKkzgN0dxYGBzt7WKXSA1Hb/L76qsdCiWiGeaKdyxEfnNtHqVVdXM7BioBPkpD7ydIAY/K4zFX+jZHcMQ9qA0fXGnMOIur3mzzL/EhUOMziUdPB8ZV4Wa+njr6w9Qwgx1knS8HSNRdFWgrmvoD6p17HE9XXTh2Rq+iiujc6HF4cWPuBtRfK0D6tAyEUv3Rga6nQA9G7pTxnItCt69rK5g9s/DCT7AWu9WW01PyhVkJOaC+2XIwGyhtydyy4fDdzWId0jjH0ApNNsA9oFHvuxXSJ4Tr7iC+qMjsWUcS+sF3UEww/RiQ==</ds:signaturevalue>
      <ds:keyinfo>
        <ds:x509data>
          <ds:x509certificate>MIIEFzCCAv+gAwIBAgIJAMViOtTmomR+MA0GCSqGSIb3DQEBCwUAMIGhMQswCQYDVQQGEwJaQTEZMBcGA1UECAwQV2VzdGVybiBQcm92aW5jZTESMBAGA1UEBwwJQ2FwZSBUb3duMSkwJwYDVQQKDCBPcmlnaW4gRHluYW1pYyBTeXN0ZW1zIChQdHkpIEx0ZDESMBAGA1UECwwJVGVjaG5pY2FsMSQwIgYDVQQDDBtpZHAuZGV2Lm9yaWdpbnN5c3RlbXMuY28uemEwHhcNMTYwMzAzMjEwNjIxWhcNNDMwNzIwMjEwNjIxWjCBoTELMAkGA1UEBhMCWkExGTAXBgNVBAgMEFdlc3Rlcm4gUHJvdmluY2UxEjAQBgNVBAcMCUNhcGUgVG93bjEpMCcGA1UECgwgT3JpZ2luIER5bmFtaWMgU3lzdGVtcyAoUHR5KSBMdGQxEjAQBgNVBAsMCVRlY2huaWNhbDEkMCIGA1UEAwwbaWRwLmRldi5vcmlnaW5zeXN0ZW1zLmNvLnphMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6E52mBf0Bite7l+ztqmrnpMha1N7/OcPTz0VO+3CZ+4GGuyD6BJFpymFPWhJVEboPuAoJMjTp0XPxgUPcydF15p11MsIp3tIij9SOM/1IGteSzrV8ka3C1vdQoTkFSeUXI+Hd14+q8fDFk6LppaTLxB0X7JjRwlBWFxxUwjc2CpTqT3VPrgMDgf9cY0p2ZIEn3ZDGZaFQXVsQN//QSIp6My1vGUzuA2WHdne96KuVa2AAz/jqOiOL+Gx+DyLgfI7moVHNDpuhLs/b1Ucf5wz4PZtnXu+pl8GD3qBAwSZNk/7fI4xouBpKdojmiqx+2mtZAoA8nqyusnA1S29TWgWmQIDAQABo1AwTjAdBgNVHQ4EFgQUpRS4+FickbWaXNc8uvTtr2e5RIMwHwYDVR0jBBgwFoAUpRS4+FickbWaXNc8uvTtr2e5RIMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQy197JhM5llSReJZ6v9+7/s9iMxoE1lMglIAW4l5Tny0p2iGG0Unn2OyrwarpHaUTh7zlbQADi+XQAUqmFNeskm3z0bzpEyQ3zeY8bH/DJyCgzH90xFskqor+s/UXI1XT40H2HVEVe1XxSO17TwmClJIS1D/kHauIV5K5Mt4vsZD/0H5Rs0JQw2FYo9N3lAurLdQluWdGDmPFnl5036EtNtNEP+8SRaa8t9jQGYZ6reWg8D9BWn2awepG5zM+mgQcGGnBk3aFAC9Eg98nigtvuTzuxPQg8nwM3bpx0n1OgBCZ2KE17rVqWYji8dfg7Cc6sJuj6/vRzE34FripmMxPA==</ds:x509certificate>
        </ds:x509data>
      </ds:keyinfo>
    </ds:signature>
    <saml:subject>
      <saml:nameid spnamequalifier="https://biz.dev.originsystems.co.za/metadata.php" format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_764064669062ae56819c9cb6426d32a6d424bd310d</saml:nameid>
      <saml:subjectconfirmation method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:subjectconfirmationdata notonorafter="2016-03-03T21:43:12Z" recipient="https://biz.dev.originsystems.co.za/?acs" inresponseto="ONELOGIN_45cf1177d3a8e735a97b0043eadf17b3718e692f"/>
      </saml:subjectconfirmation>
    </saml:subject>
    <saml:conditions notbefore="2016-03-03T21:37:42Z" notonorafter="2016-03-03T21:43:12Z">
      <saml:audiencerestriction>
        <saml:audience>https://biz.dev.originsystems.co.za/metadata.php</saml:audience>
      </saml:audiencerestriction>
    </saml:conditions>
    <saml:authnstatement authninstant="2016-03-03T21:27:31Z" sessionnotonorafter="2016-03-04T05:38:12Z" sessionindex="_fd24285c5f3a5c26f45f91e1c9ee265d4119c9dd5c">
      <saml:authncontext>
        <saml:authncontextclassref>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:authncontextclassref>
      </saml:authncontext>
    </saml:authnstatement>
    <saml:attributestatement>
      <saml:attribute name="uid" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:attributevalue xsi:type="xs:string">dslknvdlkahsdhfglasdkjhclnlshdf</saml:attributevalue>
      </saml:attribute>
      <saml:attribute name="first_name" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:attributevalue xsi:type="xs:string">Andrew</saml:attributevalue>
      </saml:attribute>
      <saml:attribute name="last_name" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:attributevalue xsi:type="xs:string">Cooper</saml:attributevalue>
      </saml:attribute>
      <saml:attribute name="preferred_name" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:attributevalue xsi:type="xs:string">Andrew</saml:attributevalue>
      </saml:attribute>
      <saml:attribute name="email" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:attributevalue xsi:type="xs:string">andrew.cooper@originsystems.co.za</saml:attributevalue>
      </saml:attribute>
    </saml:attributestatement>
  </saml:assertion>
</samlp:response>

When I plug the response into OneLogin's "Validate SAML Response" tool it tells me "Error parsing xml string". However, no other validator I put it in gives me a problem. I've been banging my head against this problem for a while now.

A bit of background... I've got two servers. The STAGE server can see out to the web and can be seen from outside as well. On that server I use OneLogin as an IdP and everything seems to work fine. However, my Dev machine can't be seen from outside the local network and so OneLogin can't send a response back to me. That's why I'm using SimpleSAML to set up an IdP locally so I can test. I say that to say, I'm not married to SimpleSAML. If there's a way to set up php-saml to do the some thing, I'll use it. Or if you have another suggestion that might work.

Thanks

pitbulk commented 8 years ago

@AndrewECooper sorry for this delated replay.

If you paste the XML at https://www.samltool.com/validate_xml.php and select SAML Response xsd you will see that the validation fails.

I wonder why all the strings on the XML are lowercase. The standard expects samlp:Response and no samlp:response

who is generating this SAMLResponse? simpleSAMLphp generates SAMLResponse correctly (notice the nameTag is not lowercase) ,

Review your environment, I think that you/some intermediate service made some change on the original XML.

AndrewECooper commented 8 years ago

Thanks pitbulk. I will look into that and get back with you.

pitbulk commented 8 years ago

@AndrewECooper have you solved that issue?

AndrewECooper commented 8 years ago

No. I quit trying to use SimpleSAML and just got a free account with OneLogin to test with. I used the SAML Response Validation tool that you suggested. My SAML Response is...

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="Ra5193b7a927a9c3af45f767e774fd272d9709429" Version="2.0" IssueInstant="2016-05-04T09:37:20Z" Destination="https://stage.originsystems.co.za/?acs" InResponseTo="ONELOGIN_3c231e1a984002ae60f24e6ebaf9134b8be9704e">
<saml:Issuer>https://app.onelogin.com/saml/metadata/515372</saml:Issuer>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfxc5d2b173-a4de-37d5-46de-5089c8332dca" IssueInstant="2016-05-04T09:37:20Z">
<saml:Issuer>https://app.onelogin.com/saml/metadata/515372</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#pfxc5d2b173-a4de-37d5-46de-5089c8332dca">
        <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>zXfzBCtyN0zUwlaM2pQI5JZ0yag=</ds:DigestValue>
    </ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hGjIxyDY+hDGGEh+xEERL6tXRKVgjtgq4AvCO4rH0XA/4n7pzTzYAuG+ZgcT3Mc+AiESrzlIO4GWIcI5WtyE8Evfp37ZZk3lQgmcr64EAd3Bt+C5psEctw9NBa7PRSFRpqgwIPyAM+oKrZDSqIjm/RjwLI4J9M00mny2DIyIkHe7APLa+Id8Qa1i/czhaaQ750Bc4ZYnC1izkNkroUw2M8z95LaKdQYM2G1dRSuAsfIxhmGLxu0qV7YToY72Vc4HASDh1PiMDXwayHbyv5GifjCU6ELaYaRJ5AG4TrMvRKVDews8dJ/uI6P0pBm/sxCEXQREOWMqR2t1nQb0+QeARQ==</ds:SignatureValue>
<ds:KeyInfo>
    <ds:X509Data>
        <ds:X509Certificate>MIIEKTCCAxGgAwIBAgIUA75ogPoRMFx7QhUV4OgYeYePZRswDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxFzAVBgNVBAoMDk9yaWdpbiBTeXN0ZW1zMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNzc2MDAwHhcNMTYwMjA0MTQzODUzWhcNMjEwMjA1MTQzODUzWjBeMQswCQYDVQQGEwJVUzEXMBUGA1UECgwOT3JpZ2luIFN5c3RlbXMxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA3NzYwMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5Vyy3c/hWkAzDDax51CMURj5HD8LW4fn4grV0vZZrO/V0hpbxY05PV62auZwqydbsAyyosv8eHgbn6kMb9yN4cPaOmrqP3d0Ad7V1LaCStaf/Lp0nGHUBZVBLa4fis/0im+wMVOywSGMM3po0+r7IPpykEE01R6m7Wgj/Uu2Ck/llh5y0zRDAP1NYXnYsZyTuvvzh3yszvt8xqaEJqq6FTHMHPdiC3+D2gcGbV6hkfLcUq41lQHIZ2rm2jM9CNkqlmGGpX6tb6E46+iP59yuHG3TF8bhr8uyRA18QJRidkq4SGw/D9QDeu/UagavFyfB6msqJG1CS0VK+zMnIPDgcCAwEAAaOB3jCB2zAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSFeCtQ2Bo4Xm06dz7tJ13TiuKDyzCBmwYDVR0jBIGTMIGQgBSFeCtQ2Bo4Xm06dz7tJ13TiuKDy6FipGAwXjELMAkGA1UEBhMCVVMxFzAVBgNVBAoMDk9yaWdpbiBTeXN0ZW1zMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNzc2MDCCFAO+aID6ETBce0IVFeDoGHmHj2UbMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEARnD5A8DN5r1Gbr2iwaF1c/Ccd9eXfI84TULq4k0QluzwUGnUiTZXJBqHcy2GEXUt/hfoAiFk9hx+x1EvzCriTM7P5yOnQLDoz1Vb6moGGMVyzL1/2E18zllZ+hZsSY2WsoR8jB1iyTSzot/febggQuVN0f34sMnCVdeAXKqnVKxvkm+PmcWkgKAqpo5MT2LT1EdTI/zxI+DAi99hsYKmodAoWgPewDNtRsremQIadnqzaPNMQbcgd89N9Ext6zIcArAViz+XpoAR80HCy8PVo3Ss+bzZJainymqGK65ulYgeHiN0WYTRORE82RXGwvs2vO/r926pZspLt+0vHzlcLQ==</ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">andrew.cooper@originsystems.co.za</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2016-05-04T09:40:20Z" Recipient="https://stage.originsystems.co.za/?acs" InResponseTo="ONELOGIN_3c231e1a984002ae60f24e6ebaf9134b8be9704e"/>
    </saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-05-04T09:34:20Z" NotOnOrAfter="2016-05-04T09:40:20Z">
    <saml:AudienceRestriction>
        <saml:Audience>https://stage.originsystems.co.za/sso-metadata.php</saml:Audience>
    </saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-05-04T09:37:19Z" SessionNotOnOrAfter="2016-05-05T09:37:20Z" SessionIndex="_d2a86a00-f3fc-0133-4fea-02b8ddb34353">
    <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.LastName">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Cooper</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="PersonImmutableID">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
    </saml:Attribute>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.email">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">andrew.cooper@originsystems.co.za</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Title">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Grand High Pumba</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="memberOf">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
    </saml:Attribute>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.FirstName">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Andrew</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

My IdP entityId = https://app.onelogin.com/saml/metadata/515372 SP entityId = https://stage.originsystems.co.za/metadata.php ACS Endpoint = https://stage.originsystems.co.za/?acs Target URL = https://stage.originsystems.co.za/?acs

X.509 Cert = MIIEKTCCAxGgAwIBAgIUA75ogPoRMFx7QhUV4OgYeYePZRswDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxFzAVBgNVBAoMDk9yaWdpbiBTeXN0ZW1zMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNzc2MDAwHhcNMTYwMjA0MTQzODUzWhcNMjEwMjA1MTQzODUzWjBeMQswCQYDVQQGEwJVUzEXMBUGA1UECgwOT3JpZ2luIFN5c3RlbXMxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA3NzYwMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5Vyy3c/hWkAzDDax51CMURj5HD8LW4fn4grV0vZZrO/V0hpbxY05PV62auZwqydbsAyyosv8eHgbn6kMb9yN4cPaOmrqP3d0Ad7V1LaCStaf/Lp0nGHUBZVBLa4fis/0im+wMVOywSGMM3po0+r7IPpykEE01R6m7Wgj/Uu2Ck/llh5y0zRDAP1NYXnYsZyTuvvzh3yszvt8xqaEJqq6FTHMHPdiC3+D2gcGbV6hkfLcUq41lQHIZ2rm2jM9CNkqlmGGpX6tb6E46+iP59yuHG3TF8bhr8uyRA18QJRidkq4SGw/D9QDeu/UagavFyfB6msqJG1CS0VK+zMnIPDgcCAwEAAaOB3jCB2zAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSFeCtQ2Bo4Xm06dz7tJ13TiuKDyzCBmwYDVR0jBIGTMIGQgBSFeCtQ2Bo4Xm06dz7tJ13TiuKDy6FipGAwXjELMAkGA1UEBhMCVVMxFzAVBgNVBAoMDk9yaWdpbiBTeXN0ZW1zMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNzc2MDCCFAO+aID6ETBce0IVFeDoGHmHj2UbMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEARnD5A8DN5r1Gbr2iwaF1c/Ccd9eXfI84TULq4k0QluzwUGnUiTZXJBqHcy2GEXUt/hfoAiFk9hx+x1EvzCriTM7P5yOnQLDoz1Vb6moGGMVyzL1/2E18zllZ+hZsSY2WsoR8jB1iyTSzot/febggQuVN0f34sMnCVdeAXKqnVKxvkm+PmcWkgKAqpo5MT2LT1EdTI/zxI+DAi99hsYKmodAoWgPewDNtRsremQIadnqzaPNMQbcgd89N9Ext6zIcArAViz+XpoAR80HCy8PVo3Ss+bzZJainymqGK65ulYgeHiN0WYTRORE82RXGwvs2vO/r926pZspLt+0vHzlcLQ==

However I get the following error.

https://stage.originsystems.co.za/metadata.php is not a valid audience for this Response

I don't know why the audience is invalid. It doesn't give any more detail than that. On the actual site the error is is giving is

Signature validation failed. SAML Response rejected

The metadata that I'm using is 

$settingsArray = array (
            'sp' => array (
                                        'entityId' => 'https://stage.originsystems.co.za/metadata.php',
                                        'assertionConsumerService' => array (
                                                        'url' => 'https://stage.originsystems.co.za/?acs',
                                        ),
                                        'singleLogoutService' => array (
                                                        'url' => 'https://stage.originsystems.co.za/?slo',
                                        ),
                                        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress',
                                        // 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress',
                        ),

        'idp' => array(
                        "entityId" => "https://app.onelogin.com/saml/metadata/515372",
                        "singleSignOnService" => array (
                            "url" => "https://originsystems.onelogin.com/trust/saml2/http-post/sso/515372",
                            "binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                        ),
                        "singleLogoutService" => array(
                            "url" => "https://originsystems.onelogin.com/trust/saml2/http-redirect/slo/515372",
                            "binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                        ),
                        "x509cert" => "MIIEKTCCAxGgAwIBAgIUA75ogPoRMFx7QhUV4OgYeYePZRswDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxFzAVBgNVBAoMDk9yaWdpbiBTeXN0ZW1zMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNzc2MDAwHhcNMTYwMjA0MTQzODUzWhcNMjEwMjA1MTQzODUzWjBeMQswCQYDVQQGEwJVUzEXMBUGA1UECgwOT3JpZ2luIFN5c3RlbXMxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA3NzYwMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5Vyy3c/hWkAzDDax51CMURj5HD8LW4fn4grV0vZZrO/V0hpbxY05PV62auZwqydbsAyyosv8eHgbn6kMb9yN4cPaOmrqP3d0Ad7V1LaCStaf/Lp0nGHUBZVBLa4fis/0im+wMVOywSGMM3po0+r7IPpykEE01R6m7Wgj/Uu2Ck/llh5y0zRDAP1NYXnYsZyTuvvzh3yszvt8xqaEJqq6FTHMHPdiC3+D2gcGbV6hkfLcUq41lQHIZ2rm2jM9CNkqlmGGpX6tb6E46+iP59yuHG3TF8bhr8uyRA18QJRidkq4SGw/D9QDeu/UagavFyfB6msqJG1CS0VK+zMnIPDgcCAwEAAaOB3jCB2zAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSFeCtQ2Bo4Xm06dz7tJ13TiuKDyzCBmwYDVR0jBIGTMIGQgBSFeCtQ2Bo4Xm06dz7tJ13TiuKDy6FipGAwXjELMAkGA1UEBhMCVVMxFzAVBgNVBAoMDk9yaWdpbiBTeXN0ZW1zMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNzc2MDCCFAO+aID6ETBce0IVFeDoGHmHj2UbMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEARnD5A8DN5r1Gbr2iwaF1c/Ccd9eXfI84TULq4k0QluzwUGnUiTZXJBqHcy2GEXUt/hfoAiFk9hx+x1EvzCriTM7P5yOnQLDoz1Vb6moGGMVyzL1/2E18zllZ+hZsSY2WsoR8jB1iyTSzot/febggQuVN0f34sMnCVdeAXKqnVKxvkm+PmcWkgKAqpo5MT2LT1EdTI/zxI+DAi99hsYKmodAoWgPewDNtRsremQIadnqzaPNMQbcgd89N9Ext6zIcArAViz+XpoAR80HCy8PVo3Ss+bzZJainymqGK65ulYgeHiN0WYTRORE82RXGwvs2vO/r926pZspLt+0vHzlcLQ=="
        ),
        );

Anyway, I'm trying to figure out what it isn't liking. I'm getting a response back that I can use but it doesn't like it during validation and errors out.

pitbulk commented 8 years ago

The problem is at the OneLogin connector. Maybe a copy&paste error.

You wrote as Audience there:

https://stage.originsystems.co.za/sso-metadata.php

instead of

https://stage.originsystems.co.za/metadata.php

that is why the SAMLResponse contains

<saml:Conditions NotBefore="2016-05-04T09:34:20Z" NotOnOrAfter="2016-05-04T09:40:20Z">
    <saml:AudienceRestriction>
        <saml:Audience>https://stage.originsystems.co.za/sso-metadata.php</saml:Audience>
    </saml:AudienceRestriction>
</saml:Conditions>

that generates when you tried to validate, the error:

https://stage.originsystems.co.za/metadata.php is not a valid audience for this Response

Related to the "Signature validation failed. SAML Response rejected", in the signature validation process, any change on the XML affect the result, I don't know how you extracted the SAMLResponse, but if you took a pretty printed version of the XML , it always gonna give you validation error. If available, use the based64encoded version, use that decode tool and use the result on the validation tool.

AndrewECooper commented 8 years ago

I figured this out. You were correct pitbulk. Another developer had written some code that sanitized incoming Requests. This was causing the validation to fail... understandable. Thanks for the help, pitbulk.

akash-goel commented 6 years ago

I am working on test cases and getting Signature validation failed error on validating the SAML response . Please help me in identifying which parameters are responsible for Signature Creation and Validation

techmatevaibhav commented 6 years ago

@akash-goel have you solved that issue?

techmatevaibhav commented 6 years ago

@pitbulk Hey could you please help me out with same "Signature validation failed. SAML Response rejected" issue.

Below is my saml2_settings.php file <?php

//This is variable is an example - Just make sure that the urls in the 'idp' config are ok. //$idp_host = 'https://idp.ssocircle.com:443'; $idp_host = 'https://passport.soaer.com'; return $settings = array(

/**
 * If 'useRoutes' is set to true, the package defines five new routes:
 *
 *    Method | URI                      | Name
 *    -------|--------------------------|------------------
 *    POST   | {routesPrefix}/acs       | saml_acs
 *    GET    | {routesPrefix}/login     | saml_login
 *    GET    | {routesPrefix}/logout    | saml_logout
 *    GET    | {routesPrefix}/metadata  | saml_metadata
 *    GET    | {routesPrefix}/sls       | saml_sls
 */
'useRoutes' => true,

'routesPrefix' => '/saml2',

/**
 * which middleware group to use for the saml routes
 * Laravel 5.2 will need a group which includes StartSession
 */
'routesMiddleware' => ['web'],

/**
 * Indicates how the parameters will be
 * retrieved from the sls request for signature validation
 */
'retrieveParametersFromServer' => false,

/**
 * Where to redirect after logout
 */
'logoutRoute' => '/',

/**
 * Where to redirect after login if no other option was provided
 */
'loginRoute' => '/loggedin',

/**
 * Where to redirect after login if no other option was provided
 */
'errorRoute' => '/error',

/*****
 * One Login Settings
 */

// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => false, //@todo: make this depend on laravel config

// Enable debug mode (to print errors)
'debug' => true, //@todo: make this depend on laravel config,

// If 'proxyVars' is True, then the Saml lib will trust proxy headers
// e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
// your application is running behind a load balancer which terminates
// SSL.
'proxyVars' => false,

// Service Provider Data that we are deploying
'sp' => array(

    // Specifies constraints on the name identifier to be used to
    // represent the requested subject.
    // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

    // Usually x509cert and privateKey of the SP are provided by files placed at
    // the certs folder. But we can also provide them with the following parameters
    'x509cert' => '',
    'privateKey' => '',

    // Identifier (URI) of the SP entity.
    // Leave blank to use the 'saml_metadata' route.
    'entityId' => 'url:test:laravel:php',
    // Specifies info about where and how the <AuthnResponse> message MUST be
    // returned to the requester, in this case our SP.
    'assertionConsumerService' => array(
        // URL Location where the <Response> from the IdP will be returned,
        // using HTTP-POST binding.
        // Leave blank to use the 'saml_acs' route
        'url' => '',
    ),
    // Specifies info about where and how the <Logout Response> message MUST be
    // returned to the requester, in this case our SP.
    // Remove this part to not include any URL Location in the metadata.
    'singleLogoutService' => array(
        // URL Location where the <Response> from the IdP will be returned,
        // using HTTP-Redirect binding.
        // Leave blank to use the 'saml_sls' route
        'url' => '',
    ),
),

// Identity Provider Data that we want connect with our SP
'idp' => array(
    // Identifier of the IdP entity  (must be a URI)

// 'entityId' => $idp_host . '/saml2/idp/metadata.php', // 'entityId' => $idp_host . '/sso/SSOPOST/metaAlias/publicidp', 'entityId' => $idp_host . '/idp/shibboleth',

    // SSO endpoint info of the IdP. (Authentication Request protocol)
    'singleSignOnService' => array(
        // URL Target of the IdP where the SP will send the Authentication Request Message,
        // using HTTP-Redirect binding.

// 'url' => $idp_host . '/saml2/idp/SSOService.php', // 'url' => $idp_host . '/sso/SSORedirect/metaAlias/publicidp',

        //'url' => $idp_host . 'idp/profile/Shibboleth/SSO',
        //'url' => $idp_host . '/idp/profile/SAML2/POST/SSO',

        //'url' => $idp_host . '/idp/profile/SAML2/POST-SimpleSign/SSO',

        'url' => $idp_host . '/idp/profile/SAML2/Redirect/SSO',

    ),
    // SLO endpoint info of the IdP.
    'singleLogoutService' => array(
        // URL Location of the IdP where the SP will send the SLO Request,
        // using HTTP-Redirect binding.

// 'url' => $idp_host . '/saml2/idp/SingleLogoutService.php', 'url' => $idp_host . '/sso/IDPSloRedirect/metaAlias/publicidp', ), // Public x509 certificate of the IdP // 'x509cert' => 'MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAkRFMRIwEAYDVQQKDAlTU09DaXJjbGUxCzAJBgNVBAMMAkNBMB4XDTE2MDgwMzE1MDMyM1oXDTI2MDMwNDE1MDMyM1owPTELMAkGA1UEBhMCREUxEjAQBgNVBAoTCVNTT0NpcmNsZTEaMBgGA1UEAxMRaWRwLnNzb2NpcmNsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCAwWJyOYhYmWZF2TJvm1VyZccs3ZJ0TsNcoazr2pTWcY8WTRbIV9d06zYjngvWibyiylewGXcYONB106ZNUdNgrmFd5194Wsyx6bPvnjZEERny9LOfuwQaqDYeKhI6c+veXApnOfsY26u9Lqb9sga9JnCkUGRaoVrAVM3yfghv/Cg/QEg+I6SVES75tKdcLDTt/FwmAYDEBV8l52bcMDNF+JWtAuetI9/dWCBe9VTCasAr2Fxw1ZYTAiqGI9sW4kWS2ApedbqsgH3qqMlPA7tg9iKy8Yw/deEn0qQIx8GlVnQFpDgzG9k+jwBoebAYfGvMcO/BDXD2pbWTN+DvbURlAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQhAmCewE7aonAvyJfjImCRZDtccTAfBgNVHSMEGDAWgBTA1nEA+0za6ppLItkOX5yEp8cQaTANBgkqhkiG9w0BAQsFAAOCAgEAAhC5/WsF9ztJHgo+x9KV9bqVS0MmsgpG26yOAqFYwOSPmUuYmJmHgmKGjKrj1fdCINtzcBHFFBC1maGJ33lMk2bM2THx22/O93f4RFnFab7t23jRFcF0amQUOsDvltfJw7XCal8JdgPUg6TNC4Fy9XYv0OAHc3oDp3vl1Yj8/1qBg6Rc39kehmD5v8SKYmpE7yFKxDF1ol9DKDG/LvClSvnuVP0b4BWdBAA9aJSFtdNGgEvpEUqGkJ1osLVqCMvSYsUtHmapaX3hiM9RbX38jsSgsl44Rar5Ioc7KXOOZFGfEKyyUqucYpjWCOXJELAVAzp7XTvA2q55u31hO0w8Yx4uEQKlmxDuZmxpMz4EWARyjHSAuDKEW1RJvUr6+5uA9qeOKxLiKN1jo6eWAcl6Wr9MreXR9kFpS6kHllfdVSrJES4ST0uh1Jp4EYgmiyMmFCbUpKXifpsNWCLDenE3hllF0+q3wIdu+4P82RIM71n7qVgnDnK29wnLhHDat9rkC62CIbonpkVYmnReX0jze+7twRanJOMCJ+lFg16BDvBcG8u0n/wIDkHHitBI7bU1k6c6DydLQ+69h8SCo6sO9YuD+/3xAGKad4ImZ6vTwlB4zDCpu6YgQWocWRXE+VkOb+RBfvP755PUaLfL63AFVlpOnEpIio5++UjNJRuPuAA=', 'x509cert' => 'MIIDMzCCAhugAwIBAgIUDQVo1lb3ZOm0mUKeEwLWuQYMSHkwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAwwScGFzc3BvcnQuc29hZXIuY29tMB4XDTE3MTIyMTIzMDAxNFoXDTM3MTIyMTIzMDAxNFowHTEbMBkGA1UEAwwScGFzc3BvcnQuc29hZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYR/TFQ5+jihmtxn+xqLPOBs+0jX9dOoi0eCG5DIUm1VWbrckNDtC7rKKUNmwVdkSIbK9Dlrsl037dswjbRQnrRhOQ1ggikea+RoH9PfcgzEETnJtmoTVhFKZ6Cw36Ud+TO6+hDUGLlJJMqYau40RiHErS+I54NFr0c2USDrIQuYGaxvixHx155vLjJEAlovfoaUh67BoRk4kFs62CyIPaVJvq53X7NyCa9rO5Tt/KVKoYe16knqCsnmy6gnp6lkewmCBJFlcJgcrggmBOHWdB0pYSmp7V9Kfb+Khog5beqNkKgFtn4Z6VVX4xg66sgCwq8JPBEmCZvZhGn5TPqvXQIDAQABo2swaTAdBgNVHQ4EFgQU+rnx825ekeRYh9LChJuiFIqqDp8wSAYDVR0RBEEwP4IScGFzc3BvcnQuc29hZXIuY29thilodHRwczovL3Bhc3Nwb3J0LnNvYWVyLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAfA3cKFh2C2Tst3G7RRq6Isjg//RkZ7Q7VQ70IYdx/vW7dz3sqBq2UXtkejvDM7kEdRRLW2mlqoEWrdTfdrVEWjUOsALJIF6QQHps6B/Zmj5nhzFKED8q1WwQxjStRgqhhjweG184gSdlxylzziv5OGjfJu+iHGAMgpOlk6BzGZ3f+95axx9wBM3mNJuYkE3LT5Klxj3BzED7GOjAjbsyz8vga/PE1aTiYqiCTVnfnjf77WZQ+J8P25kqCNHmAUyOeXSGfyiaxMxDvsPKA++FiRsQwzGOZQd/8GMwWJvG+4ee0dzrd5hc999lzAngxHdaPi7ZCZZNUFCAhb/Rj4rV3Q==', /*

);

pitbulk commented 6 years ago

@techmatevaibhav "Signature validation failed. SAML Response rejected" error happens when SP rejects the Signature of the SAMLResponse. That happens when the SAMLResponse is manipulated, or when the public certificate of the IdP registered on the SP is wrong. Can you try to validate the SAMLResponse at https://www.samltool.com/validate_response.php ?

Is the Assertion encrypted of the SAMLResponse encrypted? What software uses the IdP?

poojated commented 4 years ago

Hi I am not able to verify signature at https://www.samltool.com/validate_response.php ?

I am generating signature string distinguishedName = ConfigurationManager.AppSettings["IssuerTokenCertificateDistinguishedName"]; X509Certificate2 certificate = FederationUtilities.LookupCertificate(storeName, storeLocation, distinguishedName); SecurityKeyIdentifier ski = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { new X509SecurityToken(certificate).CreateKeyIdentifierClause() }); X509SigningCredentials signingCreds = new X509SigningCredentials(certificate, ski);

pitbulk commented 4 years ago

If you introduce a simple space in the XML, then the Signature Validation process will fail. Maybe when the system is pretty-printing the XML in your console is introducing them.

I recommend you to base64encode the XML before printing it, then copy the result and then base64decode it, and validate the XML generated

poojated commented 4 years ago

can you please give me your email so that i will send you the response . Need help in priority

poojated commented 4 years ago
STS DAF Trucks hlLgVZJP4HBbyXDx8yGrNxqrvtbSThGhQtt6no78CKY= beinp38thomvPQpxBuUYQTE2SBL6Aq4Yy+dMQ6XHIEYE5FpVm+wyBI0qYkSs7SFjKS7MakGnxfclPn/c4uQBeZYZwu1MZR7PXaSn5YgxZM1KfTZvACYqZm/+MzzeISJh2fRv2D30XziyR1fw8FIi6JtbMZRZ9baniE5cs1BLQgk= MIIBxDCCAXKgAwIBAgIQ/TKdNF5DoLtCuNPOlRyP6jAJBgUrDgMCHQUAMBYxFDAS BgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA4MTEyNDEyNTMyM1oXDTM5MTIzMTIzNTk1 OVowJzElMCMGA1UEAxMcU1RTIERBRiBUcnVja3MgKERldmVsb3BtZW50KTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArX0LyyYv0A2cJS49pdGoa9NW68ITBDeb cRSGLzRtY0YBTCOmrZc/xyxb2lMpQIIWgNDuO5BZXMOoFYHIgaXxN31vTh5Vtmch IN/nwWYVjDUy1azoJMSNan9HvG/Dw9XPsUCccczcdJI/YC7ZR4sFeH67sc78wuaf kS4LiMwpuO0CAwEAAaNLMEkwRwYDVR0BBEAwPoAQEuQJLQYdHU8AjWEh3BZkY6EY MBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5ghAGN2wAqgBkihHPuNSqXDX0MAkGBSsO AwIdBQADQQA95VFIK823htJvfQrodCV6utyTQoJl8nXXuuLnl049O1uhRDBDyP6M JfDGZbNl4FMK1U947VF3JaALBAGOB2OE STS DAF Trucks hlLgVZJP4HBbyXDx8yGrNxqrvtbSThGhQtt6no78CKY= beinp38thomvPQpxBuUYQTE2SBL6Aq4Yy+dMQ6XHIEYE5FpVm+wyBI0qYkSs7SFjKS7MakGnxfclPn/c4uQBeZYZwu1MZR7PXaSn5YgxZM1KfTZvACYqZm/+MzzeISJh2fRv2D30XziyR1fw8FIi6JtbMZRZ9baniE5cs1BLQgk= MIIBxDCCAXKgAwIBAgIQ/TKdNF5DoLtCuNPOlRyP6jAJBgUrDgMCHQUAMBYxFDAS BgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA4MTEyNDEyNTMyM1oXDTM5MTIzMTIzNTk1 OVowJzElMCMGA1UEAxMcU1RTIERBRiBUcnVja3MgKERldmVsb3BtZW50KTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArX0LyyYv0A2cJS49pdGoa9NW68ITBDeb cRSGLzRtY0YBTCOmrZc/xyxb2lMpQIIWgNDuO5BZXMOoFYHIgaXxN31vTh5Vtmch IN/nwWYVjDUy1azoJMSNan9HvG/Dw9XPsUCccczcdJI/YC7ZR4sFeH67sc78wuaf kS4LiMwpuO0CAwEAAaNLMEkwRwYDVR0BBEAwPoAQEuQJLQYdHU8AjWEh3BZkY6EY MBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5ghAGN2wAqgBkihHPuNSqXDX0MAkGBSsO AwIdBQADQQA95VFIK823htJvfQrodCV6utyTQoJl8nXXuuLnl049O1uhRDBDyP6M JfDGZbNl4FMK1U947VF3JaALBAGOB2OE 29864 daftruckssb_sp urn:oasis:names:tc:SAML:2.0:ac:classes:Password 29864 Frans Koks Frans F. Koks christiaan.rakels@daftrucks.com 00051 Van Hooft Bedrijfswagen B.V. s-Hertogenbosch HUB DAF Truck Sales en Service Dealer False