I am the SP. I am trying to help the IdP to send me (Unsolicited SSO) SAML assertions appropriately. But What happens is that SAML comes without signature.
In my logs, after callback phase initiates it raises an ERROR message:
ERROR -- omniauth: (saml_degreed) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Found an unexpected number of Signature Element. SAML Response rejected
When I copy his SAML message from terminal and 64base decode it, what I see is a jump from element <saml:Issuer>
to element <saml:Subject>
. There is no <Signature>
element.
When I tell him there is no <Signature>
element in the message I receive, he sends me (By email) the message he is supposedly sending, with <Signature>
element.
Is there something from my side (SP) to be done ? Find below my metadata file. I have already tried to change WantAssertionsSigned to "true" as well as AuthnRequestsSigned, but still failed.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
cacheDuration="PT604800S"
entityID="https://qa.mypage.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://qa.mypage.com/students/auth/saml_test/callback"
index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>