Unable to validate Signature
334 views
Skip to first unread message
Navi
Dec 13, 2009, 10:10:26 PM12/13/09
to simpleSAMLphp
Dear Sir,
I am trying simplesamlphp-1.5 to build my SP for SSO. But there is a
problem stoped me. My SP return "Unable to validate Signature" after I
authorizing from Feide OpenIdP(guest user).
I built my SP by tutorial -- "Setting up simpleSAMLphp as a service
provider" with a fake domain sp.navi.com.
My SP configuration
'default-sp' => array(
'saml:SP',
'entityID' => 'https://sp.navi.com',
'idp' => NULL
'discoURL' => NULL,
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
)
and remove idp is leveraged build in idp: https://openidp.feide.no
Here is my saml AuthnRequest
---------------------------------
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_1a1604c93181a3388539342999a4544721e9b85caf" Version="2.0"
IssueInstant="2009-12-14T02:49:35Z" Destination="https://
openidp.feide.no/simplesaml/saml2/idp/SSOService.php"
AssertionConsumerServiceURL="https://sp.navi.com/simplesaml_sp/
module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://sp.navi.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient" AllowCreate="true"/>
</samlp:AuthnRequest>
---------------------------------
I also add a file metadata/saml20-sp-hosted.php which is not in
tutorial.(it cased a problem "Could not find any default metadata
entities in set [saml20-sp-hosted] for host [sp.navi.com : sp.navi.com/
simplesaml_sp]", so I added it to resolve)
And error msg from my SP
---------------------------------
Unable to validate Signature
0: /data/simplesamlphp_sp/lib/SAML2/Utils.php:100
(SAML2_Utils::validateSignature)
1: /data/simplesamlphp_sp/lib/SAML2/Assertion.php:490
(SAML2_Assertion::validate)
2: /data/simplesamlphp_sp/modules/saml2/lib/Message.php:193
(sspmod_saml2_Message::checkSign)
3: /data/simplesamlphp_sp/modules/saml2/lib/Message.php:679
(sspmod_saml2_Message::processResponse)
4: /data/simplesamlphp_sp/www/saml2/sp/AssertionConsumerService.php:
107 (N/A)
---------------------------------
I traced the problem and found out it failed at verifyOpenSSL in
validateSignature.
I have no idea on this failure. :(
Could you kindly help me on this problem?
Thank you very much.
Regards,
Navi
I am trying simplesamlphp-1.5 to build my SP for SSO. But there is a
problem stoped me. My SP return "Unable to validate Signature" after I
authorizing from Feide OpenIdP(guest user).
I built my SP by tutorial -- "Setting up simpleSAMLphp as a service
provider" with a fake domain sp.navi.com.
My SP configuration
'default-sp' => array(
'saml:SP',
'entityID' => 'https://sp.navi.com',
'idp' => NULL
'discoURL' => NULL,
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
)
and remove idp is leveraged build in idp: https://openidp.feide.no
Here is my saml AuthnRequest
---------------------------------
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_1a1604c93181a3388539342999a4544721e9b85caf" Version="2.0"
IssueInstant="2009-12-14T02:49:35Z" Destination="https://
openidp.feide.no/simplesaml/saml2/idp/SSOService.php"
AssertionConsumerServiceURL="https://sp.navi.com/simplesaml_sp/
module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://sp.navi.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient" AllowCreate="true"/>
</samlp:AuthnRequest>
---------------------------------
I also add a file metadata/saml20-sp-hosted.php which is not in
tutorial.(it cased a problem "Could not find any default metadata
entities in set [saml20-sp-hosted] for host [sp.navi.com : sp.navi.com/
simplesaml_sp]", so I added it to resolve)
And error msg from my SP
---------------------------------
Unable to validate Signature
0: /data/simplesamlphp_sp/lib/SAML2/Utils.php:100
(SAML2_Utils::validateSignature)
1: /data/simplesamlphp_sp/lib/SAML2/Assertion.php:490
(SAML2_Assertion::validate)
2: /data/simplesamlphp_sp/modules/saml2/lib/Message.php:193
(sspmod_saml2_Message::checkSign)
3: /data/simplesamlphp_sp/modules/saml2/lib/Message.php:679
(sspmod_saml2_Message::processResponse)
4: /data/simplesamlphp_sp/www/saml2/sp/AssertionConsumerService.php:
107 (N/A)
---------------------------------
I traced the problem and found out it failed at verifyOpenSSL in
validateSignature.
I have no idea on this failure. :(
Could you kindly help me on this problem?
Thank you very much.
Regards,
Navi
parvendra singh
Dec 13, 2009, 11:39:16 PM12/13/09
to simple...@googlegroups.com
Hello,
To validate certificate you need to put certFingerprint in your idp host metadata file.
(e.g 'certFingerprint' => '71dce4532c458617b529acdc24806fd5ee59cba9',)
Please take this fingerprint from your IDP then it will be validate.
And you are correct that you created saml20-sp-hosted.php, by default its not there.
-Parvendra
To validate certificate you need to put certFingerprint in your idp host metadata file.
(e.g 'certFingerprint' => '71dce4532c458617b529acdc24806fd5ee59cba9',)
Please take this fingerprint from your IDP then it will be validate.
And you are correct that you created saml20-sp-hosted.php, by default its not there.
-Parvendra
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Navi
Dec 14, 2009, 1:35:10 AM12/14/09
to simpleSAMLphp
Hi Parvendra,
Thanks for your reply.
Actaully, I have set it as 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
I got the certFingerprint from https://openidp.feide.no/simplesaml/saml2/idp/metadata.php
and converted it from metadata parser.
Here is my idp remote configuration which is one of default idp-remote
in 1.5 version.
-----------------------------------
$metadata['https://openidp.feide.no'] = array(
'name' => array(
'en' => 'Feide OpenIdP - guest users',
'no' => 'Feide Gjestebrukere', ), 'description'
=> 'Here you can login with your account on Feide RnD OpenID. If you
do not already have an account on this identity provider, you can
create a new one by following the create new account link and follow
the instructions.',
'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://openidp.feide.no/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' =>
'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-
format:transient',
);
-----------------------------------
Is my certFingerprint corrent?
or something I was wrong?
Navi
Thanks for your reply.
Actaully, I have set it as 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
I got the certFingerprint from https://openidp.feide.no/simplesaml/saml2/idp/metadata.php
and converted it from metadata parser.
Here is my idp remote configuration which is one of default idp-remote
in 1.5 version.
-----------------------------------
$metadata['https://openidp.feide.no'] = array(
'name' => array(
'en' => 'Feide OpenIdP - guest users',
'no' => 'Feide Gjestebrukere', ), 'description'
=> 'Here you can login with your account on Feide RnD OpenID. If you
do not already have an account on this identity provider, you can
create a new one by following the create new account link and follow
the instructions.',
'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://openidp.feide.no/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' =>
'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-
format:transient',
);
-----------------------------------
Is my certFingerprint corrent?
or something I was wrong?
Navi
parvendra singh
Dec 14, 2009, 1:44:19 AM12/14/09
to simple...@googlegroups.com
Yes Navi,
Your certFingerprint is correct ,now you need response from openidp.feide.no and it will be validated for sure.
Please let me know if I can be of more assistance.
-Parvendra
Your certFingerprint is correct ,now you need response from openidp.feide.no and it will be validated for sure.
Please let me know if I can be of more assistance.
-Parvendra
Olav Morken
Dec 14, 2009, 1:58:59 AM12/14/09
to simple...@googlegroups.com
which doesn't match the AssertionConsumerService the response is sent
to. Did you add the (deprecated) metadata from
�https://.../simplesaml/saml2/sp/metadata.php?output=xhtml� to
OpenIdP?
That does not explain the error during signature validation though.
--
Olav Morken
Navi
Dec 14, 2009, 2:04:37 AM12/14/09
to simpleSAMLphp
Hi Parvendra,
Actually it still not works on my SP, that is also orignial problem I
meet. :(
Do you have other suggestion on my problem?
or some configuration I can provide to you.
Navi
On 12月14日, 下午2時44分, parvendra singh <parvendra.si...@gmail.com> wrote:
> Yes Navi,
>
> Your certFingerprint is correct ,now you need response from
> openidp.feide.noand it will be validated for sure.
> > saml2/idp/SingleLogoutService.php<https://openidp.feide.no/simplesaml/%0Asaml2/idp/SingleLogoutService.php>
> > .
Actually it still not works on my SP, that is also orignial problem I
meet. :(
Do you have other suggestion on my problem?
or some configuration I can provide to you.
Navi
On 12月14日, 下午2時44分, parvendra singh <parvendra.si...@gmail.com> wrote:
> Yes Navi,
>
> Your certFingerprint is correct ,now you need response from
>
> Please let me know if I can be of more assistance.
>
> -Parvendra
>
> On Mon, Dec 14, 2009 at 12:05 PM, Navi <nav...@gmail.com> wrote:
> > Hi Parvendra,
>
> > Thanks for your reply.
>
> > Actaully, I have set it as 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
> > I got the certFingerprint from
> >https://openidp.feide.no/simplesaml/saml2/idp/metadata.php
> > and converted it from metadata parser.
>
> > Here is my idp remote configuration which is one of default idp-remote
> > in 1.5 version.
> > -----------------------------------
> > $metadata['https://openidp.feide.no'] = array(
> > 'name' => array(
> > 'en' => 'Feide OpenIdP - guest users',
> > 'no' => 'Feide Gjestebrukere', ), 'description'
> > => 'Here you can login with your account on Feide RnD OpenID. If you
> > do not already have an account on this identity provider, you can
> > create a new one by following the create new account link and follow
> > the instructions.',
> > 'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/
> > saml2/idp/SSOService.php<https://openidp.feide.no/simplesaml/%0Asaml2/idp/SSOService.php>
> Please let me know if I can be of more assistance.
>
> -Parvendra
>
> On Mon, Dec 14, 2009 at 12:05 PM, Navi <nav...@gmail.com> wrote:
> > Hi Parvendra,
>
> > Thanks for your reply.
>
> > Actaully, I have set it as 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
> > I got the certFingerprint from
> >https://openidp.feide.no/simplesaml/saml2/idp/metadata.php
> > and converted it from metadata parser.
>
> > Here is my idp remote configuration which is one of default idp-remote
> > in 1.5 version.
> > -----------------------------------
> > $metadata['https://openidp.feide.no'] = array(
> > 'name' => array(
> > 'en' => 'Feide OpenIdP - guest users',
> > 'no' => 'Feide Gjestebrukere', ), 'description'
> > => 'Here you can login with your account on Feide RnD OpenID. If you
> > do not already have an account on this identity provider, you can
> > create a new one by following the create new account link and follow
> > the instructions.',
> > 'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/
> > saml2/idp/SingleLogoutService.php<https://openidp.feide.no/simplesaml/%0Asaml2/idp/SingleLogoutService.php>
> > ',
> > 'certFingerprint' =>
> > 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb',
> > 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-
> > format:transient',
> > );
> > -----------------------------------
>
> > Is my certFingerprint corrent?
> > or something I was wrong?
>
> > Navi
>
> > --
>
> > You received this message because you are subscribed to the Google Groups
> > "simpleSAMLphp" group.
> > To post to this group, send email to simple...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > simplesamlph...@googlegroups.com<simplesamlphp%2Bunsubscribe@goog legroups.com>
> > 'certFingerprint' =>
> > 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb',
> > 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-
> > format:transient',
> > );
> > -----------------------------------
>
> > Is my certFingerprint corrent?
> > or something I was wrong?
>
> > Navi
>
> > --
>
> > You received this message because you are subscribed to the Google Groups
> > "simpleSAMLphp" group.
> > To post to this group, send email to simple...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > .
Navi
Dec 14, 2009, 2:42:59 AM12/14/09
to simpleSAMLphp
Hi Olav,
Many thanks for your suggestion.
I have set the AssertionConsumerServiceURL and SingleLogoutService
endpoint on OpenIdP
there are in SAML2.0 tab of entryID "https://sp.navi.com"
even I set it, I still have problem... :( (got the error on my
AssertionConsumerService page.)
EntryID: https://sp.navi.com
AssertionConsumerServiceURL: https://sp.navi.com/simplesaml_sp/saml2/sp/AssertionConsumerService.php
SingleLogoutService: https://sp.navi.com/simplesaml_sp/saml2/sp/SingleLogoutService.php
Navi
> to. Did you add the (deprecated) metadata fromhttps://.../simplesaml/saml2/sp/metadata.php?output=xhtmlto
Many thanks for your suggestion.
I have set the AssertionConsumerServiceURL and SingleLogoutService
endpoint on OpenIdP
there are in SAML2.0 tab of entryID "https://sp.navi.com"
even I set it, I still have problem... :( (got the error on my
AssertionConsumerService page.)
EntryID: https://sp.navi.com
AssertionConsumerServiceURL: https://sp.navi.com/simplesaml_sp/saml2/sp/AssertionConsumerService.php
SingleLogoutService: https://sp.navi.com/simplesaml_sp/saml2/sp/SingleLogoutService.php
Navi
Olav Morken
Dec 14, 2009, 3:57:23 AM12/14/09
to simple...@googlegroups.com
On Sun, Dec 13, 2009 at 23:42:59 -0800, Navi wrote:
> Hi Olav,
>
> Many thanks for your suggestion.
> I have set the AssertionConsumerServiceURL and SingleLogoutService
> endpoint on OpenIdP
> there are in SAML2.0 tab of entryID "https://sp.navi.com"
> even I set it, I still have problem... :( (got the error on my
> AssertionConsumerService page.)
>
> EntryID: https://sp.navi.com
> AssertionConsumerServiceURL: https://sp.navi.com/simplesaml_sp/saml2/sp/AssertionConsumerService.php
> SingleLogoutService: https://sp.navi.com/simplesaml_sp/saml2/sp/SingleLogoutService.php
There are two SPs in simpleSAMLphp:
> Hi Olav,
>
> Many thanks for your suggestion.
> I have set the AssertionConsumerServiceURL and SingleLogoutService
> endpoint on OpenIdP
> there are in SAML2.0 tab of entryID "https://sp.navi.com"
> even I set it, I still have problem... :( (got the error on my
> AssertionConsumerService page.)
>
> EntryID: https://sp.navi.com
> AssertionConsumerServiceURL: https://sp.navi.com/simplesaml_sp/saml2/sp/AssertionConsumerService.php
> SingleLogoutService: https://sp.navi.com/simplesaml_sp/saml2/sp/SingleLogoutService.php
The old: https://sp.navi.com/simplesaml_sp/saml2/sp/*, configured by
saml20-sp-hosted.php
The new: https://sp.navi.com/simplesaml_sp/module.php/saml/sp/*,
configured in authsources.php.
You currently start authentication from the new SP, but receive the
assertions in the old SP.
The reason is that you have added the metadata for the old SP to
OpenIdP, so openIdp will send the response to the old SP.
The metadata for the new SP is available from:
https://sp.navi.com/simplesaml_sp/module.php/saml/sp/metadata.php/default-sp?output=xhtml
The AssertionConsumerService URL should be:
https://sp.navi.com/simplesaml_sp/module.php/saml/sp/saml2-acs.php/default-sp
The SingleLogoutService URL should be:
https://sp.navi.com/simplesaml_sp/module.php/saml/sp/saml2-logout.php/default-sp
--
Olav Morken
Navi
Dec 14, 2009, 10:50:44 PM12/14/09
to simpleSAMLphp
Hi Olav.
Very appreciate for your explanation. I totally understood setting of
SP.
And I also found that the problem should case by I was using 5.1
version for PHP.
I test it again successfully on a 5.2 version of PHP.
Thanks a again for your help :)
Navi
On 12月14日, 下午4時57分, Olav Morken <olav.mor...@uninett.no> wrote:
> On Sun, Dec 13, 2009 at 23:42:59 -0800, Navi wrote:
> > Hi Olav,
>
> > Many thanks for your suggestion.
> > I have set the AssertionConsumerServiceURL and SingleLogoutService
> > endpoint on OpenIdP
> > there are in SAML2.0 tab of entryID "https://sp.navi.com"
> > even I set it, I still have problem... :( (got the error on my
> > AssertionConsumerService page.)
>
> > EntryID:https://sp.navi.com
> > AssertionConsumerServiceURL:https://sp.navi.com/simplesaml_sp/saml2/sp/AssertionConsumerService.php
> > SingleLogoutService:https://sp.navi.com/simplesaml_sp/saml2/sp/SingleLogoutService.php
>
> There are two SPs in simpleSAMLphp:
> The old:https://sp.navi.com/simplesaml_sp/saml2/sp/*, configured by
> saml20-sp-hosted.php
> The new:https://sp.navi.com/simplesaml_sp/module.php/saml/sp/*,
> configured in authsources.php.
>
> You currently start authentication from the new SP, but receive the
> assertions in the old SP.
>
> The reason is that you have added the metadata for the old SP to
> OpenIdP, so openIdp will send the response to the old SP.
>
> The metadata for the new SP is available from:https://sp.navi.com/simplesaml_sp/module.php/saml/sp/metadata.php/def...
>
> The AssertionConsumerService URL should be:https://sp.navi.com/simplesaml_sp/module.php/saml/sp/saml2-acs.php/de...
>
> The SingleLogoutService URL should be:https://sp.navi.com/simplesaml_sp/module.php/saml/sp/saml2-logout.php...
>
> --
> Olav Morken
Very appreciate for your explanation. I totally understood setting of
SP.
And I also found that the problem should case by I was using 5.1
version for PHP.
I test it again successfully on a 5.2 version of PHP.
Thanks a again for your help :)
Navi
On 12月14日, 下午4時57分, Olav Morken <olav.mor...@uninett.no> wrote:
> On Sun, Dec 13, 2009 at 23:42:59 -0800, Navi wrote:
> > Hi Olav,
>
> > Many thanks for your suggestion.
> > I have set the AssertionConsumerServiceURL and SingleLogoutService
> > endpoint on OpenIdP
> > there are in SAML2.0 tab of entryID "https://sp.navi.com"
> > even I set it, I still have problem... :( (got the error on my
> > AssertionConsumerService page.)
>
> > EntryID:https://sp.navi.com
> > AssertionConsumerServiceURL:https://sp.navi.com/simplesaml_sp/saml2/sp/AssertionConsumerService.php
> > SingleLogoutService:https://sp.navi.com/simplesaml_sp/saml2/sp/SingleLogoutService.php
>
> There are two SPs in simpleSAMLphp:
> The old:https://sp.navi.com/simplesaml_sp/saml2/sp/*, configured by
> saml20-sp-hosted.php
> The new:https://sp.navi.com/simplesaml_sp/module.php/saml/sp/*,
> configured in authsources.php.
>
> You currently start authentication from the new SP, but receive the
> assertions in the old SP.
>
> The reason is that you have added the metadata for the old SP to
> OpenIdP, so openIdp will send the response to the old SP.
>
>
> The AssertionConsumerService URL should be:https://sp.navi.com/simplesaml_sp/module.php/saml/sp/saml2-acs.php/de...
>
> The SingleLogoutService URL should be:https://sp.navi.com/simplesaml_sp/module.php/saml/sp/saml2-logout.php...
>
> --
> Olav Morken
Olav Morken
Dec 15, 2009, 1:50:16 AM12/15/09
to simple...@googlegroups.com
On Mon, Dec 14, 2009 at 19:50:44 -0800, Navi wrote:
> Hi Olav.
>
> Very appreciate for your explanation. I totally understood setting of
> SP.
>
> And I also found that the problem should case by I was using 5.1
> version for PHP.
> I test it again successfully on a 5.2 version of PHP.
Was that PHP version < 5.1.2? It is supposed to work with
> Hi Olav.
>
> Very appreciate for your explanation. I totally understood setting of
> SP.
>
> And I also found that the problem should case by I was using 5.1
> version for PHP.
> I test it again successfully on a 5.2 version of PHP.
version >=5.1.2, and if it does not, we need to update the
documentation to reflect this.
> Thanks a again for your help :)
--
Olav Morken
Navi
Dec 15, 2009, 8:55:18 PM12/15/09
to simpleSAMLphp
Hi Olav,
My environment is PHP 5.1.6 on CentOS 5.3
But I am not very sure that is root case, I just swith to another
enviroment which is PHP 5.2.6(download from src) with RHEL Application
Stack version and it worked
Is any information I can provided to help you investigate this
problem?
Navi
My environment is PHP 5.1.6 on CentOS 5.3
But I am not very sure that is root case, I just swith to another
enviroment which is PHP 5.2.6(download from src) with RHEL Application
Stack version and it worked
Is any information I can provided to help you investigate this
problem?
Navi
Olav Morken
Dec 16, 2009, 2:49:44 AM12/16/09
to simple...@googlegroups.com
On Tue, Dec 15, 2009 at 17:55:18 -0800, Navi wrote:
> Hi Olav,
>
> My environment is PHP 5.1.6 on CentOS 5.3
> But I am not very sure that is root case, I just swith to another
> enviroment which is PHP 5.2.6(download from src) with RHEL Application
> Stack version and it worked
>
> Is any information I can provided to help you investigate this
> problem?
I did a quick check of the XML canonicalization used in PHP < 5.2.0,
> Hi Olav,
>
> My environment is PHP 5.1.6 on CentOS 5.3
> But I am not very sure that is root case, I just swith to another
> enviroment which is PHP 5.2.6(download from src) with RHEL Application
> Stack version and it worked
>
> Is any information I can provided to help you investigate this
> problem?
which I thought could be the source of the problem, but it appears to
work correctly for responses sent by OpenIdP.
The jump from CentOS 5.3 probably changed the version of PHP, libxml2
and OpenSSL, all of which may have fixed this issue. I don't think
spending too much time trying to determine what exactly the issue was
is worth it.
--
Olav Morken
Reply all
Reply to author
Forward
0 new messages