2.4.2 got Reference validation failed error

[tuanmh]

Hi guys, thank you again for this plugin. We've just upgraded to 2.4.2 and got this error: Reference validation failed in xmlseclibs.php line 923. I reverted it back to 2.4.1 and it works perfectly. Could you please help? Looks like it has something to do with this commit:

https://github.com/onelogin/php-saml/commit/39878dd041bc7fa91f19e9c04ef4e4008e3079cc

[pitbulk]

Hi @tuanmh

Are you sure the error appears on xmlseclibs.php 923? Can you try to add a breakpoint here? If no exception is raised, then the problem is not related with the new processSignedElements and could be related with the _queryAssertion and the _decryptAssertion since xmlseclibs was not modified, but is wrong since unit test past and I also made tests with different scenarios.

If you provide the SAMLResponse that is failing I will be able also to debug. (If is a prod environment you can share with me by mail)

[tuanmh]

f no exception is raised, then the problem is not related with the new processSignedElements and could be related with the _queryAssertion and the _decryptAssertion since xmlseclibs was not modified, but is wrong since unit test past and I also made tests with different scenarios.

Yes, there was no exception at that break point. I'll send the SAMLResponse to the email at your github account.

[tuanmh]

Hi @pitbulk, do you have any updates on this?

[pitbulk]

No sorry, I will spend some time today

[pitbulk]

I replied you by mail.

[tuanmh]

hey @pitbulk: do you have time to have a look at this issue? or you can give me some instructions so I'll do it. This is important for us to get moving and updated with latest version to prevent any security risks. Thank you again!

[pitbulk]

I had no progress on that. Can you generate temp certificate/private key at https://www.samltool.com/self_signed_certs.php replace on your SP settings the real certs but those new (remember also to change the ADFS settings with this new SP public cert).

Then try if the SAMLResponse also is rejected due "Reference validation failed error" and in this is the case, send to me by mail:

• the base64 encoded saml response (I want it encoded in order to avoid any manipulation).
• the self-signed private key and cert used. So I will be able to reproduce what happening.

[tuanmh]

Just an update on this @pitbulk, we've upgraded our staging environment to 2.4.4 and everything is working fine - so there must be some differences between the 2 versions (2.4.2 and 2.4.4) - I'm not too sure for now though.

[pitbulk]

yes 2.4.4 uses the latest php-saml toolkit, use it.