Caused by: Exception: Unable to validate signature on query string.
1,417 views
Skip to first unread message
stpe...@hotmail.com
May 7, 2018, 3:12:25 PM5/7/18
to SimpleSAMLphp
I am having some issues with "Unable to validate signature on query string". This was a working set up between me (an SP) and another/third party/remote IDP. They updated their cert. I updated my code and PHP. THen I repeatedly get this error. Or rather they get this error. I initiate the request from the SP. It goes to the IDP and stops with this error. We have repeatedly validated that they have my cert. I have been on Webex and watched them. We have deleted and replaced. I am stuck. What else could be the problem? I have researched your forum and found years ago that the sha256 vs sha1 were an issues for some servers. We verified with a script you had attached to one of those incident questions that they can handle sha256. So I don't know what else to try here. Any thoughts?
stpe...@hotmail.com
May 7, 2018, 6:36:09 PM5/7/18
to SimpleSAMLphp
I am using PHP 7.2.5 with simplesamlephp 1.15.4.
Any thoughts? Suggestions? Suspicions? Anything at this point would be helpful.
Any thoughts? Suggestions? Suspicions? Anything at this point would be helpful.
stpe...@hotmail.com
May 7, 2018, 8:59:51 PM5/7/18
to SimpleSAMLphp
I set up a test IDP on another server and connected this SP to it. I am getting the same error. So it has to be my SP/certificate. But I still don't know what. On the IDP side I see this in the log:
May 07 20:55:32 simplesamlphp DEBUG [921684528c] </samlp:AuthnRequest>
May 07 20:55:32 simplesamlphp DEBUG [921684528c] Has 1 candidate keys for validation.
May 07 20:55:32 simplesamlphp DEBUG [921684528c] Validation with key #0 failed with exception: Unable to validate signature on query string.
May 07 20:55:32 simplesamlphp ERROR [921684528c] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
So it recognizes the SP from the metadata. So why can it not use the cert to validate it? Weird.
May 07 20:55:32 simplesamlphp DEBUG [921684528c] </samlp:AuthnRequest>
May 07 20:55:32 simplesamlphp DEBUG [921684528c] Has 1 candidate keys for validation.
May 07 20:55:32 simplesamlphp DEBUG [921684528c] Validation with key #0 failed with exception: Unable to validate signature on query string.
May 07 20:55:32 simplesamlphp ERROR [921684528c] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
So it recognizes the SP from the metadata. So why can it not use the cert to validate it? Weird.
On Monday, May 7, 2018 at 3:12:25 PM UTC-4, stpe...@hotmail.com wrote:
stpe...@hotmail.com
May 7, 2018, 9:18:55 PM5/7/18
to SimpleSAMLphp
In the SP logs I see these errors:
SimpleSAML_Error_Exception: Error 2 - session_cache_limiter(): Cannot change cache limiter when headers already sent
Error loading session: Disabling PHP option session.use_cookies failed.
Any relation to my unvalidated signature? I saw this but I have 1.15.4 so it should be fixed, right? https://github.com/simplesamlphp/simplesamlphp/issues/793
SimpleSAML_Error_Exception: Error 2 - session_cache_limiter(): Cannot change cache limiter when headers already sent
Error loading session: Disabling PHP option session.use_cookies failed.
Any relation to my unvalidated signature? I saw this but I have 1.15.4 so it should be fixed, right? https://github.com/simplesamlphp/simplesamlphp/issues/793
Tim van Dijen
May 8, 2018, 2:51:15 AM5/8/18
to SimpleSAMLphp
The signature issue is likely a configuration issue on the SP.
Try and configure the 'signature.algorithm' in the saml20-idp-remote.php file to match what the IdP is expecting. If not set, I think it will default to SHA1.
The easiest way to debug these kind of issues would be to make a trace using https://addons.mozilla.org/nl/firefox/addon/saml-tracer/ so you can actually see what algorithms are being used by the SP.
The issue with `session_cache_limiter()` has already been solved and will be part of the next release.
You can easily fix this yourself for now by swapping two lines of code.
- Tim
Op dinsdag 8 mei 2018 03:18:55 UTC+2 schreef stpe...@hotmail.com:
Jaime Perez Crespo
May 8, 2018, 2:53:58 AM5/8/18
to simple...@googlegroups.com
Hi,
On 8 May 2018, at 02:59 AM, stpe...@hotmail.com wrote:
> I set up a test IDP on another server and connected this SP to it. I am getting the same error. So it has to be my SP/certificate. But I still don't know what. On the IDP side I see this in the log:
> May 07 20:55:32 simplesamlphp DEBUG [921684528c] </samlp:AuthnRequest>
> May 07 20:55:32 simplesamlphp DEBUG [921684528c] Has 1 candidate keys for validation.
> May 07 20:55:32 simplesamlphp DEBUG [921684528c] Validation with key #0 failed with exception: Unable to validate signature on query string.
> May 07 20:55:32 simplesamlphp ERROR [921684528c] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> So it recognizes the SP from the metadata. So why can it not use the cert to validate it? Weird.
Because the certificate used to verify the signature doesn’t match the private key used to sign it.
Check your setup. It looks like the private key and the certificate you have configured don’t belong together.
—
Jaime Pérez
Uninett / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 8 May 2018, at 02:59 AM, stpe...@hotmail.com wrote:
> I set up a test IDP on another server and connected this SP to it. I am getting the same error. So it has to be my SP/certificate. But I still don't know what. On the IDP side I see this in the log:
> May 07 20:55:32 simplesamlphp DEBUG [921684528c] </samlp:AuthnRequest>
> May 07 20:55:32 simplesamlphp DEBUG [921684528c] Has 1 candidate keys for validation.
> May 07 20:55:32 simplesamlphp DEBUG [921684528c] Validation with key #0 failed with exception: Unable to validate signature on query string.
> May 07 20:55:32 simplesamlphp ERROR [921684528c] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> So it recognizes the SP from the metadata. So why can it not use the cert to validate it? Weird.
Check your setup. It looks like the private key and the certificate you have configured don’t belong together.
—
Jaime Pérez
Uninett / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Peter Schober
May 8, 2018, 5:01:33 AM5/8/18
to SimpleSAMLphp
* stpe...@hotmail.com <stpe...@hotmail.com> [2018-05-08 02:59]:
should ask yourself why your SP is signing authentication requests in
the first place.
The IDP recieving those can verify the identity of the SP and the
requested delivery address for the response using SAML Metadata (or
local configuration). So signing the request does not provide
addtional /anything/.
OTOH if any (cheap) HTTP GET to (a protected resource on) your SP will
trigger a(n expensive) cryptographic signing operation, you're
actually putting your SP at risk of DoS attacks. And for what gain?
-peter
> I set up a test IDP on another server and connected this SP to it. I
> am getting the same error. So it has to be my SP/certificate. But I
> still don't know what.
Other than what Jaime said (the cert just not matching the key) you
> am getting the same error. So it has to be my SP/certificate. But I
> still don't know what.
should ask yourself why your SP is signing authentication requests in
the first place.
The IDP recieving those can verify the identity of the SP and the
requested delivery address for the response using SAML Metadata (or
local configuration). So signing the request does not provide
addtional /anything/.
OTOH if any (cheap) HTTP GET to (a protected resource on) your SP will
trigger a(n expensive) cryptographic signing operation, you're
actually putting your SP at risk of DoS attacks. And for what gain?
-peter
Reply all
Reply to author
Forward
0 new messages