search

handnot2 / samly

Elixir Plug library to enable SAML 2.0 SP SSO in Phoenix/Plug applications.
MIT License
125 stars 90 forks source link

Digest verification failed on Idp #19

Closed alex88 closed 6 years ago

alex88 commented 6 years ago

Trying to add the domain to a ADFS IDP gives this error

Add-ADFSRelyingPartyTrust : ID6018: Digest verification failed for reference
CategoryInfo          : InvalidData: (:) [Add-ADFSRelyingPartyTrust], CryptographicException
FullyQualifiedErrorId : ID6018: Digest verification failed for reference ...
FullyQualifiedErrorId : PS0132,Microsoft.IdentityServer.PowerShell.Commands.SetRelyingPartyTrustCommand
Set-ADFSRelyingPartyTrust : PS0132: No RelyingPartyTrust found with name ...

does the certificate of the SDP has to match the one of the HTTPS server it's running on? What could be the problem?

handnot2 commented 6 years ago

Guessing that the certificate you generated for your app is somehow not registered with ADFS, resulting in verification error.

  1. You would have generated a private key and a corresponding certificate for Samly. Samly uses these when it communicates with the ADFS IDP.

  2. When you setup the Relying Party Trust in ADFS, you have the option of entering the values manually or import the relying party (RP/SP) metadata from a file. You can choose the option "Import data about relying party from a file" - see item 3 on how to create this file.

  3. Create this metadata file on your system by entering the SP Metadata URL (search Samly doc) in a browser and save the response (source of the HTML response) in an XML file. This XML metadata file should be provided during the ADFS relying party trust setup for your app.

The SP Metadata XML file you saved will have the correct certificate embedded in it. ADFS will then use that certificate to verify the SAML 2.0 request originating from your application via Samly.

Hope this helps. Please provide an update if this solves your issue.

handnot2 commented 6 years ago

Closing this. Feel free to reopen with additional information if you still have the issue.

alex88 commented 6 years ago

Sorry for the delay, I've actually tried to use the output provided by this library with azure AD and it was throwing an error saying there request wasn't a valid SAML request. Using another library with the same key instead worked fine, unfortunately due timeline restrictions created by the customer I didn't have time to debug it further

handnot2 commented 5 years ago

Azure doesn't seem to sign the SAML response itself. It signs only the assertion. It would be great if you are able to confirm this works if you set signed_envelopes_in_resp: false in your samly config.

Check the following issue in esaml: https://github.com/handnot2/esaml/issues/18