search

tngan / samlify

Node.js library for SAML SSO
https://samlify.js.org
MIT License
609 stars 216 forks source link

Signature and Digest Mis-Match when creating LoginResponse #401

Open jhickmanit opened 3 years ago

jhickmanit commented 3 years ago

Hello!

First and foremost thank you for all your work on this library, it has been great to work with. I am currently struggling with using this library to have my custom app act as an IdP for In-Bound SAML to Okta. The issue I am facing is that the digest value and signature values do not match. This causes a signature validation error in Okta and the following error using xmlsec1: ` func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=353:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/C=US/ST=California/L=Irvine/O=Onfido/CN=localhost/emailAddress=jeff.hickman@onfido.com; issuer=/C=US/ST=California/L=Irvine/O=Onfido/CN=localhost/emailAddress=jeff.hickman@onfido.com; err=18; msg=self signed certificate

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=392:obj=x509-store:subj=unknown:error=71:certificate verification failed:subject=/C=US/ST=California/L=Irvine/O=Onfido/CN=localhost/emailAddress=jeff.hickman@onfido.com; issuer=/C=US/ST=California/L=Irvine/O=Onfido/CN=localhost/emailAddress=jeff.hickman@onfido.com; err=18; msg=self signed certificate

func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=280:obj=sha256:subj=unknown:error=12:invalid data:data and digest do not match

FAIL SignedInfo References (ok/all): 0/1

Manifests References (ok/all): 0/0 `

My IDP setup is as follows: const idp = new saml.IdentityProvider({ metadata: fs.readFileSync(path.join(__dirname, '../saml/new-idp-metadata.xml')), privateKey: fs.readFileSync(path.join(__dirname, '../certs/encryptKey.pem')), privateKeyPass: 'foobar', isAssertionEncrypted: false, loginResponseTemplate: { context: '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status><saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>{Issuer}</saml:Issuer><saml:Subject><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}"><saml:AudienceRestriction><saml:Audience>{Audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><AuthnStatement AuthnInstant="{IssueInstant}"> <AuthnContext><AuthnContextClassRef>AuthnContextClassRef</AuthnContextClassRef></AuthnContext></AuthnStatement></samlp:Response>', attributes: [ { name: 'userName', valueTag: 'user.userName', nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', valueXsiType: 'xs:string'} ], }, });

And my SP setup is as such: const sp = new saml.ServiceProvider({ metadata: fs.readFileSync(path.join(__dirname, '../saml/sp-metadata.xml')), transformationAlgorithms: [ 'http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#', ], });

I can provide more details if needed as well.

tempire commented 2 years ago

I cam across a similar issue - it was due to usingfs.readFileSync(templateFilePath, 'utf8'), which adds a newline to the content of templateFilePath.

Stripping \r|\n from the end of the file resolved the issue.