Signature validation failing

[albertw]

Hi,

I'm having trouble verifying a SAML response assertion with the demo code and getting "Signature validation failed. SAML Response rejected" after I sign into SSO.

I've extracted the xml by adding some debugging into the app and can verify the assertion with xmlsec1:

# xmlsec1 --verify  --id-attr:ID Assertion   --pubkey-cert-pem idcs.cer r4.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

I've the same "idp" {"x509cert":...} in the settings.

The verification seems to fail at dsig_ctx.verify() in utils.validate_node_sign, but checking some debug output there seems to show that the right cert and signature_node are being used so I'm at a loss how to debug this further.

The docs mention trying to set validate_signature_from_qs and providing a query string, but I'm not familiar enough with SAML to know what such a query string should look like.

I'd rather not post the response and certs here, but can email them if someon can help.

Thanks.

[pitbulk]

validate_signature_from_qs is something to review on redirect binding, I guess you are using HTTP-POST binding for procesing the SAMLResponse at the ACS endpoint.

Can you try if this tool validates the Signature properly?
https://www.samltool.com/validate_response.php

[albertw]

Hi Sixto,

Thanks for getting back to me. Yep that site, giving it the same entity-id's, target url and key that im using in the settings.json, says that the SAML respose is valid

[pitbulk]

Is strange that it only fails on python3-saml.

Just for testing/debug.... are you able to temporarily switch from python3-saml to python-saml (if you are using py2) and see if it also fails there?

[albertw]

Hi, it took a while to get the python2 environment working but in the end yes the demo django app in python-saml does work without errors and I get shown the attrs page after login. No mention of failure to validate.

[rmalik2018]

Hello, Any update on this ? I am getting same issue.

If I use python3-saml , I get

Unable to verify the signature

python-saml works ok.

[pitbulk]

@rmalik2018 were you able to solve the issue?

[rmalik2018]

Still have got the issue unfortunately. Thanks for following it up.

[xadaemon]

Do you use <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> by chance? I lost sleep over this, in the snippet bellow, the lib will outright reject SHA-1 and not mention the verification is failing because of it. At least not in the error you get when you try to get the latest error, @rmalik2018

python3-saml/src/onelogin/saml2/response.py

Lines 710 to 717 in 96ad99e

	dig_method_node = OneLogin_Saml2_XML.query(sign_node, './/ds:DigestMethod')
	if dig_method_node:
	dig_method = dig_method_node[0].get("Algorithm")
	if dig_method in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
	raise OneLogin_Saml2_ValidationError(
	'Deprecated digest algorithm found: %s' % dig_method,
	OneLogin_Saml2_ValidationError.DEPRECATED_DIGEST_METHOD
	)

[xadaemon]

I will have to fork the lib for our purposes since we must support sha-1 still :(, so I also take the chance to raise this question, is the deny really needed? or at least can we add a bypass, I would like to upstream changes I may have to make.

[xadaemon]

Worth noting I'm using encryption with no signatures