Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature validation failed. SAML Response rejected #282

Open
danielniccoli opened this issue Sep 29, 2021 · 4 comments
Open

Signature validation failed. SAML Response rejected #282

danielniccoli opened this issue Sep 29, 2021 · 4 comments
Labels
help wanted informative

Comments

@danielniccoli
Copy link

Hi,

I use the flask demo and cannot get the signature validation to work.

As far as I know the place to put the IdP Certificate is in the settings-json under idp/x509cert.

I tried to set x509cert to the Base64-encoded certificate string (one-liner) as well as to a file path to the base64-encoded certificate itself. Restarted the demo-server every time. I still get the same error every time.

I left it blank, too, in hope to just omit the validation. But still the same error.

{
    "strict": true,
    "debug": true,
    "sp": {
        "x509cert": "",
        "privateKey": ""
    },
    "idp": {
   
        "x509cert": ""
    }
}
@pitbulk
Copy link
Contributor

pitbulk commented Oct 1, 2021
edited
Loading

I left it blank, too, in hope to just omit the validation. But still the same error.

Signature validation is always required, otherwise, anyone could craft it own SAMLResponse and access your system.

I tried to set x509cert to the Base64-encoded certificate string (one-liner) as well as to a file path to the base64-encoded certificate itself. Restarted the demo-server every time. I still get the same error every time.

Maybe you are registering the wrong x509cert. Makes sure the value you provide to the settings matches the public cert used by the IdP. You could use a browser extension named SAML Tracer (firefox | chrome) in order to record the SAML flow and later inspect it. Check the Signature value.. and check the value of X509Certificate that is the one that must be registereed on php-saml settings.

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#pfxf59f04cc-4f19-fc42-ff60-5a84a3069dde">
    <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>EDztjf+gPbmOUDaPdqc1thxhah4=</ds:DigestValue></ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>xxxSignaturexxxx</ds:SignatureValue>
  <ds:KeyInfo>
      <ds:X509Data><ds:X509Certificate>xxxxIdPxxPublicxxCertxxx</ds:X509Certificate></ds:X509Data>
  </ds:KeyInfo>
</ds:Signature>

@gardarh
Copy link

gardarh commented Aug 30, 2022

I'm hitting a similar issue against Azure AD with logout (slo) requests. I'm using HTTP GET to process the SLO.

I'm using python3.10 and version 1.14.0 of python3-saml. I am successfully validating saml login requests with the same cert.

Ultimately utils.validate_binary_sign() is returning False but what is being sent to dsig_ctx.verify_binary() looks legit (the signed payload looks like it is formatted according to spec and when I decode the binary signature and urlencode it, it is exactly what I got from the query string).

This is my code (I'm using django):

        saml_config_dict = django_utils.generate_saml_config(client)
        saml_request_object = prepare_saml_request_object(request)
        saml_auth = onelogin_saml2.OneLogin_Saml2_Auth(
            saml_request_object, old_settings=saml_config_dict
        )
        saml_auth.process_slo()
        if len(saml_auth.get_errors()) > 0:
            errors = ", ".join(saml_auth.get_errors())
            print(f"SLO failed, error: {errors}")

Which prints out "SLO failed, error: invalid_logout_response_signature, Signature validation failed. Logout Response rejected"

My saml_request_object is:

{
'https': 'off',
'http_host': 'localhost:8080',
'script_name': '/api/v1/sso/logout-from-idp/',
'get_data': <QueryDict: {
'SAMLResponse': ['fZJBa9wwEIX/itFdlla21pbwGkJTysI2gW7IoZcwtkaJwSsZj9w0/fV1veQQKDmOZt6b90lqCC7jZE/xOS7pB9IUA2F2vD2wp8K5rtey5l6aPS/7neOgteFOdrUzrvZ13bHsEWcaYjgwlUuWHYkWPAZKENJ6JJXiq0EhH2Rld8qWKq9r85Nlt0hpCJA25UtKE1kh4M8yIyeKHN0z5hO8QYDxLQ095QMJmAbxayfWvhi3uNzP8cIHN4l1cXgP/xAP7P7u6+n+2/HuSRqttO69K8CoUhm/EmBVVlVRAbh9J0tTo1d7lv2+jIHsdhsHtszBRqCBbIALkk29Pd98P9mV0U5zTLGPI2ubjXa+Sj8XARHO/2hZ+05LifLXIbj4SnnAJNBpqHznuJaoeAlec+OV57KoKuWdckbXohHXnW1zfbdzgrTQx+pLdJg9wrjg55lom7bnpe+RiIm2ER9Nxf/+RvsX'],
'RelayState': ['https://*redacted*/api/v1/rest-auth/logout/'],
'Signature': ['AzuOHsUAq/0T0nfzAXENyX17C4JCd4gKkvwEmLOdbbnCgVLaaId1Z00VkTGVA+gR5yH5jbBPT9T6JCCk35TwQlMsD46qbwhTYwf7pV4705BwLkfTA0gwYsiPC2WlN2Nb+xFJV96OMSFEZdv5mOQX0r1CtYpZRV9vwCp+DA7XYKtjLdkF9q+KoibkeSjOUBR2nfDpCd3PxXLGu/ZLYtpt186LgwL7PX6CKIbNeKRz3gJ4Z1Lcv02WvF1riFdtAZOizuS9jwVFFcP2pDBDxpdXssNMruNa9mxRjg4j29vNKc3tc2x58rx4GfwS7GOZk+rlVsqjCS5L290JZvmizJxYpQ=='],
'SigAlg': ['http://www.w3.org/2001/04/xmldsig-more#rsa-sha256']
}>,
'post_data': <QueryDict: {}>, 'server_port': 8080
}

And my saml_config_dict is:

{'debug': False,
 'idp': {'certFingerprint': '',
         'certFingerprintAlgorithm': 'sha1',
         'entityId': 'https://sts.windows.net/ed5a7fbd-50e2-4af5-9f2f-03772fd2d958/',
         'singleLogoutService': {'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                                 'url': 'https://login.microsoftonline.com/ed5a7fbd-50e2-4af5-9f2f-03772fd2d958/saml2'},
         'singleSignOnService': {'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                                 'url': 'https://login.microsoftonline.com/ed5a7fbd-50e2-4af5-9f2f-03772fd2d958/saml2'},
         'x509cert': '-----BEGIN CERTIFICATE-----\n'
                     'MIIC8DCCAdigAwIBAgIQGKzmgsp5PoVJDvN6LkJz9DANBgkqhkiG9w0BAQsFADA0\n'
                     'MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZp\n'
                     'Y2F0ZTAeFw0yMjA2MTcxMzU5NTBaFw0yNTA2MTcxMzU5NTBaMDQxMjAwBgNVBAMT\n'
                     'KU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjAN\n'
                     'BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx+4SBAmWmGEvSwyevRS4SqNO8gDo\n'
                     '/mE8UjrcM+wXNlDxNLHbuTqFqyaoanoLXvqZwrwjfpdpR9mB3EXdv3rio7jZNteA\n'
                     'gbouoC+dbwNF89na4Y3Jx3cdMGvA+JQhRoXHgvwp3IKqCYv4PkOQMe7NepdUSIkb\n'
                     'XorkRFOs4JQQTdj5shDo/+sQvJJIiZ9obgc43xyWYAhauNumlM2fwMBDgw1ZZvD1\n'
                     '55MMT20rh7wNURXQGmP9qzZClqdybImu+2AEmfdO85kKm+QVxZqQ3y0YFFkPELvF\n'
                     'P3X++ZZOSl8Dv6Rf6kqRPImoTOrbFWv//MldzAJw5BSZUpn4JQlJ/MFqLQIDAQAB\n'
                     'MA0GCSqGSIb3DQEBCwUAA4IBAQC10pmV/ddMF/G8mxZ2KLziqMSclZezjIjAJbs0\n'
                     'EJcvBU5qii+hqs/t7rJuoERDzKiJeoDZgqX+anvDH7wmB7kODUyQyfXK1uern97G\n'
                     'V9+31Xm5zq1HIdjzfz4H5HMBSsMt919u/hwYbsWQjSrMmnLI61c9+wX//GCorv9Z\n'
                     'vbKrjn/38J/twSFna7F5+uF2a06ANG3IyYCCSbSSV+MO2Y/rCPbiFpyXYHelarMG\n'
                     'nLCsLA3tJmDNWcyoMOimANDwZc3+e4jW/pvIILvSUuASMk3dtMt80qfoLqfc4gJf\n'
                     'rlq8i8Qe4d4luRJLVSDKa7SARqhMj22lsjNOk7vOy6Bjgq5W\n'
                     '-----END CERTIFICATE-----\n'},
 'security': {'allowRepeatAttributeName': False,
              'authnRequestsSigned': False,
              'digestAlgorithm': 'http://www.w3.org/2001/04/xmlenc#sha256',
              'failOnAuthnContextMismatch': False,
              'logoutRequestSigned': False,
              'logoutResponseSigned': False,
              'metadataCacheDuration': None,
              'metadataValidUntil': None,
              'nameIdEncrypted': False,
              'rejectDeprecatedAlgorithm': False,
              'requestedAuthnContext': True,
              'requestedAuthnContextComparison': 'exact',
              'signMetadata': False,
              'signatureAlgorithm': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
              'wantAssertionsEncrypted': False,
              'wantAssertionsSigned': False,
              'wantAttributeStatement': False,
              'wantMessagesSigned': False,
              'wantNameId': True,
              'wantNameIdEncrypted': False},
 'sp': {'NameIDFormat': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
        'assertionConsumerService': {'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                                     'url': 'http://localhost:8080/api/v1/sso/login/'},
        'attributeConsumingService': {},
        'entityId': 'https://localhost/sso/sp/',
        'privateKey': '',
        'singleLogoutService': {'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                                'url': 'http://localhost:8080/api/v1/rest-auth/logout/'},
        'x509cert': ''},
 'strict': True}

Is there anything obviously wrong with my setup? Could anyone verify that the SLO works against Azure AD with a similar configuration?

@pitbulk
Copy link
Contributor

pitbulk commented Dec 25, 2022
edited
Loading

Is possible that more than 1 certificate is registered at AzureAD and during the SLO a different x509cert/private key pair was used than the one registered?

Also try to play with the setting: lowercase_urlencoding

@ghazi-git
Copy link

ran into the same issue as gardarh today: logout request with a django web app, using MS Entra ID (previously Azure AD). Setting lowercase_urlencoding=True fixed the issue.

Thank you @pitbulk

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted informative
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pitbulk @gardarh @danielniccoli @ghazi-git