Open reteps opened 2 days ago
Hi, I setup the tool as documented.
I receive an error on the signature verification step.
DEBUG:saml2.sigver:xmlsec command: /usr/bin/xmlsec1 --verify --enabled-reference-uris empty,same-doc --pubkey-cert-pem /tmp/tmp69nwexpe.pem --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion --node-id _TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu --output /tmp/tmprk8ikwba.xml /tmp/tmpl9ejayvq.xml ERROR:saml2.sigver:returncode=1 error=func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=350:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; issuer=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; err=18; msg=self signed certificate func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=389:obj=x509-store:subj=unknown:error=71:certificate verification failed: subject=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; issuer=/C=US/ST=California/L=San Francisco/O=JankyCo/CN=localhost; err=18; msg=self signed certificate func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha1:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify
With this XML:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_38030cee04a47185cc67" Version="2.0" IssueInstant="2024-06-28T15:56:54Z" Destination="https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/XXXXXXXXXXXXXXXXXX </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu" IssueInstant="2024-06-28T15:56:54.885Z"> <saml:Issuer>http://www.okta.com/XXXXXXXXXXXXXX</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#_TnEsZE6yRBW4KQ47Tfg3SIExCYNQADUu"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>cHpIMLWm1x2HwENXtSxZXxSD/nU=</DigestValue> </Reference> </SignedInfo> <SignatureValue>ik3V/b6JlQMaa/eWqJmwn0jEH0BUJ7f/7xf3XP6AcF9VmlNetbA7MgUqOpN8lilZNAAyJPNkPdgIGpnNnN+23BNI38Hw72W4Iwcf1Xzoe+Mi6xbOJQsIWz3Brp66Vfj0sh2SfiIbBEpt4wV31NLZ1Rd85KylNrSLB2oJaR3A2XECEAqry2Eiwouxa3dh/a/7FiQjZ/cyzeoOF4u9x/wFRwvpdbS+H1o1f4jCL1J1vswYfdO6Dy2RgLtdefILP3lCe7/gHNsbMtXaBgeMsb+zP3OlQyO7AFBL186PduBbibqCz0fg2QVzXkd4U6E8VZwNhT5C1js/Iau783M86wacYQ==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIDPDCCAiQCCQDydJgOlszqbzANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHSmFua3lDbzESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDMxMjE5NDYzM1oXDTI3MTExOTE5NDYzM1owYDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoTB0phbmt5Q28xEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGvJpRTTasRUSPqcbqCG+ZnTAurnu0vVpIG9lzExnh11o/BGmzu7lB+yLHcEdwrKBBmpepDBPCYxpVajvuEhZdKFx/Fdy6j5mH3rrW0Bh/zd36CoUNjbbhHyTjeM7FN2yF3u9lcyubuvOzr3B3gX66IwJlU46+wzcQVhSOlMk2tXR+fIKQExFrOuK9tbX3JIBUqItpI+HnAow509CnM134svw8PTFLkR6/CcMqnDfDK1m993PyoC1Y+N4X9XkhSmEQoAlAHPI5LHrvuujM13nvtoVYvKYoj7ScgumkpWNEvX652LfXOnKYlkB8ZybuxmFfIkzedQrbJsyOhfL03cMECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAeHwzqwnzGEkxjzSD47imXaTqtYyETZow7XwBc0ZaFS50qRFJUgKTAmKS1xQBP/qHpStsROT35DUxJAE6NY1Kbq3ZbCuhGoSlY0L7VzVT5tpu4EY8+Dq/u2EjRmmhoL7UkskvIZ2n1DdERtd+YUMTeqYl9co43csZwDno/IKomeN5qaPc39IZjikJ+nUC6kPFKeu/3j9rgHNlRtocI6S1FdtFz9OZMQlpr0JbUt2T3xS/YoQJn6coDmJL5GTiiKM6cOe+Ur1VwzS1JEDbSS2TWWhzq8ojLdrotYLGd9JOsoQhElmz+tMfCFQUFLExinPAyy7YHlSiVX13QH2XTu/iQQ==</X509Certificate> </X509Data> </KeyInfo> </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jane.doe@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-06-28T16:56:54.885Z" Recipient="https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2024-06-28T15:56:54.885Z" NotOnOrAfter="2024-06-28T16:56:54.885Z"> <saml:AudienceRestriction> <saml:Audience>https://eb8d-76-221-153-201.ngrok-free.app/auth/saml/sso/example-oktadev</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:Attribute Name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> <saml:AttributeValue xsi:type="xs:anyType">jane.doe@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Email"> <saml:AttributeValue xsi:type="xs:anyType">jane.doe@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="FirstName"> <saml:AttributeValue xsi:type="xs:anyType">Jane</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="LastName"> <saml:AttributeValue xsi:type="xs:anyType">Doe</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AuthnStatement AuthnInstant="2024-06-28T15:56:54.885Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>
'example-oktadev': { # must match the destination URL / audience URI in the SAML 2.0 settings of the IdP. 'entityid': 'http://flask-pysaml2-example', 'metadata_url': 'https://dev-22307139.okta.com/app/XXXXXXXXX/sso/saml/metadata' },
Possibly related to https://github.com/IdentityPython/pysaml2/issues/963
Hi, I setup the tool as documented.
I receive an error on the signature verification step.
With this XML: