2

We're using ruby-saml to establish our app as a service provider while using Google as an identity provider, though I do not think this question is specific to Ruby or that project.

I have seen this answer from the point of view of an IdP, but I'm hoping to see one from the point of view of an SP, because I have a hard time believing Google is getting the signature on the response wrong.

On top of that, we have successfully integrated with other Google accounts, and they work at the same time this one is broken.

As the service providers, how can we figure out the source of an Invalid Signature on SAML Response from the identity provider?

Sammy Larbi
  • 3,062
  • 3
  • 26
  • 21
  • 1
    invalid signature can mean you don't have the public key certificate of the IdP so you can't validate its signature. Or possibly the way you unmarshall the SAMLResponse adds stuff like whitespace which can invalidate the signed data. Do you have any logs of the error? – codebrane Feb 15 '18 at 11:35
  • Yes, I have the base 64 response that Google sent, which I can decode. – Sammy Larbi Feb 15 '18 at 13:19

3 Answers3

3

We had same error, but different solution. Our problem was invalid characters in the xml response. Both parsing and validation failed. We could substitute the chars before parsing, but then the validation would still fail because of the changed content. The solution was to base64 decode the response, and open the xml response in an editor (or online xml validator) to find the problematic data. In our case: attribute name "objectSid" from AD. We then changed the simplesamlphp config so that it sent only the data we needed. Now the response validates and parses without problems. Btw in "settings.idp_cert" (using ruby-saml gem) we include both the "begin certificate and end certificate headers".

enter image description here

Also there are browser add-ons that will intercept the saml conversations for debugging purposes.

Also check this for online troubleshooting:

validate response: https://www.samltool.com/validate_response.php (be careful not to paste your private keys online. only public cert is needed for response validation)

validate xml: https://www.xmlvalidation.com

online base64 decode: https://www.samltool.com/base64.php

folium
  • 353
  • 1
  • 15
1

I ended up using the suggestion to use XMLSec in the answer I referenced in the question, and ran through the decoded base 64 response and the certificate(s) in the metadata file from Google.

That gave me the confidence that there was indeed something wrong with the certificates in the IdP metadata XML file that Google provided.

I then noticed that my working accounts only had 1 certificate in the file, while this one had two. So I removed one, and it did not work. Then I replaced it and removed the other, and it worked.

Then I found out that I could place both certs in the file as long as the working one was first.

I am not sure why there was a difference, and I do not know why Google outputs the certs in an order that XMLSec cannot use to verify the signature.

Perhaps someone with more knowledge than myself can chime in on that, but for now, I'm happy to report that simply reversing the order in which the certs appeared in the IdP metadata file from Google allowed the signature to be verified.

Sammy Larbi
  • 3,062
  • 3
  • 26
  • 21
1

I needed to include this setting as well. YMMV, seems like the default algo is sha1, but the key and output that i was calculating using the openssl utility was using sha256:

settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha256"
rajat banerjee
  • 1,256
  • 2
  • 12
  • 21