SP giving error as "Unable to validate Signature" - CAS 5.3.5

[Jitendra]

Hi,

SAML Response generated by CAS IDP is giving error at SP side (SimpleSAMLphp) as "Unable to validate Signature". 

I have already running application of CAS 3.5.2 with external integration with Shibboleth IdP and now I am tring to integrate new CAS 5.3.5 version using CAS IDP.

Following in the SAML Response generate by IdP for both CAS 5.3.5 and CAS 3.5.2 with external Shibboleth IdP.

SAML Response - CAS 5.3.5

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:Response

    Destination="https://localhost:9443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"

    ID="_5811688302419932870"

    InResponseTo="_2eaf2e28b5216f16033c9426d54214ab6388f7e81f"

    IssueInstant="2018-11-29T21:01:43.318Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2:Issuer

        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8443/idp</saml2:Issuer>

    <ds:Signature

                xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod

                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod

                Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

<ds:Reference

                        URI="#_5811688302419932870">

<ds:Transforms>

<ds:Transform

                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

<ds:Transform

                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

<ds:DigestValue>b7YffVN2OeWjVJwE+M7Ubu8Y8yuT7AJH0UyZCbSfifY=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>

O9KIQejb18K/ME5x0sVfa3vuSJfPDxz5kDLWo6afmWip4LZzA3YNJf7v4e3Fb+9myw1aEPC3XP3b&#xd;

As0WFTeVIzB2zzM7k7PxKQFpZyZ4sWR2gYcpj85AobJVYIJA9uv2CfTPaERE9w5hfU4Pkc/bJ4cb&#xd;

41oHsm6hLVRPZj1Tq68=

</ds:SignatureValue>

<ds:KeyInfo>

            <ds:X509Data>

                <ds:X509Certificate>**** DELETED ****</ds:X509Certificate>

            </ds:X509Data>

        </ds:KeyInfo>

    </ds:Signature>

    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

    </saml2p:Status>

    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

        <xenc:EncryptedData Id="_820da790be35c89c155513777cd62a67"

            Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

            <xenc:EncryptionMethod

                Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>

            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

                <ds:RetrievalMethod

                    Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_a624d6692b8ac5cf1b149f831bd1aee4"/>

            </ds:KeyInfo>

            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

                <xenc:CipherValue>**** DELETED ****</xenc:CipherValue>

            </xenc:CipherData>

        </xenc:EncryptedData>

        <xenc:EncryptedKey Id="_a624d6692b8ac5cf1b149f831bd1aee4"

            Recipient="https://localhost:9443/simplesaml/module.php/saml/sp/metadata.php/default-sp" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

            <xenc:EncryptionMethod

                Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

                <ds:DigestMethod

                    Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>

            </xenc:EncryptionMethod>

            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

                <xenc:CipherValue>**** DELETED ****</xenc:CipherValue>

            </xenc:CipherData>

            <xenc:ReferenceList>

                <xenc:DataReference URI="#_820da790be35c89c155513777cd62a67"/>

            </xenc:ReferenceList>

        </xenc:EncryptedKey>

    </saml2:EncryptedAssertion>

</saml2p:Response>

SAML Response - CAS 3.5.2 with external Shibboleth IdP

<saml2p:Response Destination="https://localhost/Shibboleth.sso/SAML2/POST"

    ID="_2d92ed1015600c258406df9be22f95be" InResponseTo="_3c79c509762462fa063e035b4ac9b6fa"

    IssueInstant="2018-11-29T15:41:52.149Z" Version="2.0"

    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"

        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost/idp/shibboleth</saml2:Issuer>

    <saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>

    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

        <xenc:EncryptedData Id="_6d71ffd770ca214f19d05dd34c179bf7"

            Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"

            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>

            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

                <xenc:EncryptedKey Id="_2062d09a80fbd4810e9e733fa0132d9f"

                    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"

                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"

                        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod>

                    <ds:KeyInfo>

                        <ds:X509Data>

                            <ds:X509Certificate>**** DELETED ****</ds:X509Certificate>

                        </ds:X509Data>

                    </ds:KeyInfo>

                    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

                        <xenc:CipherValue>**** DELETED ****</xenc:CipherValue>

                    </xenc:CipherData>

                </xenc:EncryptedKey>

            </ds:KeyInfo>

            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

                <xenc:CipherValue>**** DELETED ****</xenc:CipherValue>

            </xenc:CipherData>

        </xenc:EncryptedData>

    </saml2:EncryptedAssertion>

</saml2p:Response>

And following the my SP Service Registry entry

{

  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

  "serviceId" : "https://localhost:9443/simplesaml/module.php/saml/sp/metadata.php/default-sp",

  "name" : "SAMLService",

  "id" : 10000003,

  "evaluationOrder" : 10,

  "metadataLocation" : "mylocation/metadata/testsp_metadata.xml",

  "signAssertions": false,

  "signResponses": true,

  "encryptAssertions": true

}

Can anyone please help me in finding out what is the issue in my configuration??

TIA

Jitendra

[Andy Ng]

Hi Jitendra,

I have used CAS 5.3.5 as idp and SimpleSAMLPHP as sp, my SP service registry is just bare-bone and it still works. 

My metadata is also generated, so I don't think CAS generated idp metadata is the problem.

Is it possible to have a look at you `mylocation/metadata/testsp_metadata.xml`, that might also be a place to look for solution.

Cheers!

- Andy

[Jitendra]

Thanks Andy for your response

I have attached the testsp_metadata.xml  file for your reference.

Would there any problem with my  SP service registry entry ? Can you share the reference of your  SP service registry entry ?

Regards

Jitendra

[Jitendra]

Following error is coming on SimpleSAMLPHP SP end.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 www\_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to validate Signature
Backtrace:
6 vendor\simplesamlphp\saml2\src\SAML2\Utils.php:179 (SAML2\Utils::validateSignature)
5 [builtin] (call_user_func)
4 vendor\simplesamlphp\saml2\src\SAML2\Message.php:261 (SAML2\Message::validate)
3 modules\saml\lib\Message.php:206 (sspmod_saml_Message::checkSign)
2 modules\saml\lib\Message.php:600 (sspmod_saml_Message::processResponse)
1 modules\saml\www\sp\saml2-acs.php:129 (require)
0 www\module.php:135 (N/A)

Regards
Jitendra

[Andy Ng]

Hi Jitendra,

My SP is basically the same as you, with the exception that I have:

<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">

I don't know if this will make a difference, but you can try add that in and see if that will help you

Cheers!

- Andy

[Jitendra]

Hi

Do I need to change anything at SimpleSAMLPHP configuration to accommodate this changes?

Getting below error at IdP end

<Metadata for [https://localhost:9443/simplesaml/module.php/saml/sp/metadata.php/default-sp] says authentication requests are signed, yet authentication request is not>

Regards

Jitendra

[Jitendra]

Hi Andy

No luck, still getting same error as SimpleSAMLPHP SP side.

Any other input would help

Thanks

Jitendra

[Andy Ng]

I am out of office, and I don't have a working CAS server to test out what happens, see if the other members of the community can help you on that.

- Andy