0

I am the SP. I am trying to help the IdP to send me (Unsolicited SSO) SAML assertions appropriately. But What happens is that SAML comes without signature.

In my logs, after callback phase initiates it raises an ERROR message:

ERROR -- omniauth: (saml_degreed) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Found an unexpected number of Signature Element. SAML Response rejected

When I copy his SAML message from terminal and 64base decode it, what I see is a jump from element <saml:Issuer> to element <saml:Subject>. There is no <Signature> element.

When I tell him there is no <Signature> element in the message I receive, he sends me (By email) the message he is supposedly sending, with <Signature> element.

Is there something from my side (SP) to be done ? Find below my metadata file. I have already tried to change WantAssertionsSigned to "true" as well as AuthnRequestsSigned, but still failed.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     cacheDuration="PT604800S"
                     entityID="https://qa.mypage.com">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://qa.mypage.com/students/auth/saml_test/callback"
                                     index="1" />        
    </md:SPSSODescriptor>
</md:EntityDescriptor>
Bruno Toledo
  • 87
  • 1
  • 9
  • 1
    You probably don't want assertions signed, because that overrides signing the entire response (which is better). Having said that, I would recommend the partner trace the process in Chrome with Preserve Log turned on, and you walk through the transaction with them, using SAML decoding tools you find online. I say this, because without giving us an encoded SAMLResponse to evaluate, we can't really help much. – Andrew K. Feb 11 '20 at 22:02

0 Answers0