2 signature values in SAML Response ?

[n.mcl...@imperial.ac.uk]

My Simple SAML Identity Provider v1.8 & also v1.10 (PHP 5.3.3) outputs 2 signature values in the SAML response. One outside the assertion and one inside the assertion.

Is this correct? The response example at https://rnd.feide.no/2007/12/10/example_saml_2_0_request_and_response/ only shows one signature which is within the assertion.

I ask because a service provider is unable to validate the outer signature for some reason. What is the signature outside assertion used for and how can I disable the use of it?

Below is the response from my Identity provider.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

                ID="_62f19ea3a8857b9ad77a6d5ac960322798a74d618f"

                Version="2.0"

                IssueInstant="2013-06-17T11:56:45Z"

                Destination="https://icsamlsdp.cc.ic.ac.uk/simplesaml/module.php/saml/sp/metadata.php/icsamltest"

                >

    <saml:Issuer>https://icsamltest2.cc.ic.ac.uk/simplesaml/saml2/idp/metadata.php</saml:Issuer>

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:SignedInfo>

            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

            <ds:Reference URI="#_62f19ea3a8857b9ad77a6d5ac960322798a74d618f">

                <ds:Transforms>

                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

                </ds:Transforms>

                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

                <ds:DigestValue>i5V6glduk2J7dNqJl5uf9DdELAU=</ds:DigestValue>

            </ds:Reference>

        </ds:SignedInfo>

        <ds:SignatureValue>PpreJrEMIak7PbMLWsgA1wnoFA6Y91J/ZVWjOz2CHq0JFHQSKU0jQ6Xrccb+y/u+aCx/1ttsRuUxfEhixbhnZLXYcf5c/Dyeo8BQbG8Qfebyn0Xxjubyw6203LcUMRNX8ZPkPyTlqScNO1YemPuuqBzwKf/AG2+iAZR4YlOi0JZ2/RzR+gv+cBecSnCT+8/8ZyA+zESIs2wtZ6p9krmxGsfuFy+uCi2nbH7g2zNcLR8HFlEHXCRvLNIMV/xPeC9A285ZRo65w9bC6XuNwLzovzL/SPgzDix6wtjY953jmm3aF9wNZyQZter870Qd7Tt6dwLhqDrX6EmeK1AIVnCzJw==</ds:SignatureValue>

        <ds:KeyInfo>

            <ds:X509Data>

                <ds:X509Certificate>MIIELzCCAxegAwIBAgIJAI1y/4grPMgOMA0GCSqGSIb3DQEBBQUAMIGtMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEPMA0GA1UEBwwGTG9uZG9uMSAwHgYDVQQKDBdJbXBlcmlhbCBDb2xsZWdlIExvbmRvbjEMMAoGA1UECwwDSUNUMRswGQYDVQQDDBJpY3NhbWwuY2MuaWMuYWMudWsxLjAsBgkqhkiG9w0BCQEWH2ljdC11bml4YWRtaW4tZGxAaW1wZXJpYWwuYWMudWswHhcNMTIwMzMwMDg1MTU0WhcNMjIwMzMwMDg1MTU0WjCBrTELMAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxDzANBgNVBAcMBkxvbmRvbjEgMB4GA1UECgwXSW1wZXJpYWwgQ29sbGVnZSBMb25kb24xDDAKBgNVBAsMA0lDVDEbMBkGA1UEAwwSaWNzYW1sLmNjLmljLmFjLnVrMS4wLAYJKoZIhvcNAQkBFh9pY3QtdW5peGFkbWluLWRsQGltcGVyaWFsLmFjLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1aEVK9wP/uxWfArCz2K7MjWvKUzdhY12VDTHxQQtobu6KD6ZH3IeSMyOkyFAzDIRDJQ6SVzAo5jqKd+LgsuOv8ZtF2zm1A00Kgh3wrjJSRGpTHW25BChD8jtMa5/c7zMqpXnz3CsfvH0xuUOAKsZf6KyvLNmS0OUl9zJD4Xg1el/qsmlNf3xcqc0koLEgqJKZf/GyX+097DK98t0iX8jwb1aEwlPczC3RSrl+94kHjyKR42q97sxt6GS3aRFbL0B6VNyKkpIDnvOnvJK6Lhv6di9P+hkOuI2pwDGik+monk+c0L4+DdpuD/sFLby/F6seuZh0mc80ytjTlwvyVo56QIDAQABo1AwTjAdBgNVHQ4EFgQUQpdyh9B0jnEmUIjCLS8JQ1fbCdQwHwYDVR0jBBgwFoAUQpdyh9B0jnEmUIjCLS8JQ1fbCdQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEASspjPd+YJfICLuHMxlSOdFyN/LHXa4D3gMaGdZj0kjAgb9fC8ufx8PrfWr73imgN48uv4Noc82VNrsQKxmFTW45NWww7BxxGM0pl1EXhyVe9QVHHbpMNCksWhneJOfOV5NJ6qq4NH1JrYH/nKQb5D623MCTSWNlnTF1TTpHkr3KkocwoNAMwiB64TKmv9d09+jHDCPr8C/gGZKPTT/bE3w4Ub9++RFohxVyqhSL1LnbDp4UHQneQ7Ut4bex9TMDn43rqGL+HdE6PrHMi/+ne2a+oSEpIRaguzA+0bFdt93rwLTznwnUAzdOggYFFk/Lmu9ePGL/Ow5HFMgNMZ9vATA==</ds:X509Certificate>

            </ds:X509Data>

        </ds:KeyInfo>

    </ds:Signature>

    <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

    </samlp:Status>

    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                    xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    ID="_3f4afa786494b76ab780a937a4c9cdd0b7cc0e9c72"

                    Version="2.0"

                    IssueInstant="2013-06-17T11:56:45Z"

                    >

        <saml:Issuer>https://icsamltest2.cc.ic.ac.uk/simplesaml/saml2/idp/metadata.php</saml:Issuer>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

            <ds:SignedInfo>

                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

                <ds:Reference URI="#_3f4afa786494b76ab780a937a4c9cdd0b7cc0e9c72">

                    <ds:Transforms>

                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

                    </ds:Transforms>

                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

                    <ds:DigestValue>OIQ+pxy6fpz5yZNR5QSu98+V4mM=</ds:DigestValue>

                </ds:Reference>

            </ds:SignedInfo>

            <ds:SignatureValue>SmELBvOW02pMFXZgZzzSER0wyYNeiSYz+jBolxVH8bYtj72XO0J/+J4ihLt49uIxIhNQA89LgIVp7Vja3eKSqNg0Q277CZgcPA7q2zsxPl/J74m15wo0ehrzvgFgYDMTK75nIMACn9grGu8B5bXkU6hdWauXtsMSI7kj3UlSnZN9inbTL83N0l+9/n3kNKZdy/RKjKZUMcCKokYj8UP9XqvYY0LnB5vNvxFOMgfUD7jypj1XnHYLNdVkZ831bgYszSEjnnl0FPSfwzwdNuWI4L96gCXkKYXCesBvdcMoTmvY7xCkRMm221K648C4Jn4suG8athYfcH4DxzOE1RSU+w==</ds:SignatureValue>

            <ds:KeyInfo>

                <ds:X509Data>

                    <ds:X509Certificate>MIIELzCCAxegAwIBAgIJAI1y/4grPMgOMA0GCSqGSIb3DQEBBQUAMIGtMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEPMA0GA1UEBwwGTG9uZG9uMSAwHgYDVQQKDBdJbXBlcmlhbCBDb2xsZWdlIExvbmRvbjEMMAoGA1UECwwDSUNUMRswGQYDVQQDDBJpY3NhbWwuY2MuaWMuYWMudWsxLjAsBgkqhkiG9w0BCQEWH2ljdC11bml4YWRtaW4tZGxAaW1wZXJpYWwuYWMudWswHhcNMTIwMzMwMDg1MTU0WhcNMjIwMzMwMDg1MTU0WjCBrTELMAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxDzANBgNVBAcMBkxvbmRvbjEgMB4GA1UECgwXSW1wZXJpYWwgQ29sbGVnZSBMb25kb24xDDAKBgNVBAsMA0lDVDEbMBkGA1UEAwwSaWNzYW1sLmNjLmljLmFjLnVrMS4wLAYJKoZIhvcNAQkBFh9pY3QtdW5peGFkbWluLWRsQGltcGVyaWFsLmFjLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1aEVK9wP/uxWfArCz2K7MjWvKUzdhY12VDTHxQQtobu6KD6ZH3IeSMyOkyFAzDIRDJQ6SVzAo5jqKd+LgsuOv8ZtF2zm1A00Kgh3wrjJSRGpTHW25BChD8jtMa5/c7zMqpXnz3CsfvH0xuUOAKsZf6KyvLNmS0OUl9zJD4Xg1el/qsmlNf3xcqc0koLEgqJKZf/GyX+097DK98t0iX8jwb1aEwlPczC3RSrl+94kHjyKR42q97sxt6GS3aRFbL0B6VNyKkpIDnvOnvJK6Lhv6di9P+hkOuI2pwDGik+monk+c0L4+DdpuD/sFLby/F6seuZh0mc80ytjTlwvyVo56QIDAQABo1AwTjAdBgNVHQ4EFgQUQpdyh9B0jnEmUIjCLS8JQ1fbCdQwHwYDVR0jBBgwFoAUQpdyh9B0jnEmUIjCLS8JQ1fbCdQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEASspjPd+YJfICLuHMxlSOdFyN/LHXa4D3gMaGdZj0kjAgb9fC8ufx8PrfWr73imgN48uv4Noc82VNrsQKxmFTW45NWww7BxxGM0pl1EXhyVe9QVHHbpMNCksWhneJOfOV5NJ6qq4NH1JrYH/nKQb5D623MCTSWNlnTF1TTpHkr3KkocwoNAMwiB64TKmv9d09+jHDCPr8C/gGZKPTT/bE3w4Ub9++RFohxVyqhSL1LnbDp4UHQneQ7Ut4bex9TMDn43rqGL+HdE6PrHMi/+ne2a+oSEpIRaguzA+0bFdt93rwLTznwnUAzdOggYFFk/Lmu9ePGL/Ow5HFMgNMZ9vATA==</ds:X509Certificate>

                </ds:X509Data>

            </ds:KeyInfo>

        </ds:Signature>

        <saml:Subject>

            <saml:NameID SPNameQualifier="https://icsamlsdp.cc.ic.ac.uk/simplesaml/module.php/saml/sp/metadata.php/icsamltest2"

                         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:uri"

                         >ab8b9ac11a0618d77bfbf2c3a420db50deffc46f</saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData NotOnOrAfter="2013-06-17T12:01:45Z"

                                              Recipient="https://icsamlsdp.cc.ic.ac.uk/simplesaml/module.php/saml/sp/metadata.php/icsamltest"

                                              />

            </saml:SubjectConfirmation>

        </saml:Subject>

        <saml:Conditions NotBefore="2013-06-17T11:56:15Z"

                         NotOnOrAfter="2013-06-17T12:01:45Z"

                         >

            <saml:AudienceRestriction>

                <saml:Audience>https://icsamlsdp.cc.ic.ac.uk/simplesaml/module.php/saml/sp/metadata.php/icsamltest2</saml:Audience>

            </saml:AudienceRestriction>

        </saml:Conditions>

        <saml:AuthnStatement AuthnInstant="2013-06-17T11:56:35Z"

                             SessionNotOnOrAfter="2013-06-17T19:56:45Z"

                             SessionIndex="_b3ce12c4752d7f9a52492305a1b4d6ee245d892801"

                             >

            <saml:AuthnContext>

                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

            </saml:AuthnContext>

        </saml:AuthnStatement>

    </saml:Assertion>

</samlp:Response>

 

[Matthew Hillman]

I'm having the same issue. The service provide is getting an "Can't validate SAML response" error because there are two <ds:Signature> elements being sent through (both of which are the same mind you). Any ideas?

[Jaime Perez Crespo]

Hi Matthew,

You are replying to a 2-year-and-a-half old thread. Next time it might be more useful to start a new one.

> On 13 Nov 2015, at 00:41 AM, Matthew Hillman <mat...@intersect.org.au> wrote:
> I'm having the same issue. The service provide is getting an "Can't validate SAML response" error because there are two <ds:Signature> elements being sent through (both of which are the same mind you). Any ideas?

I seriously doubt both of them are the same (though they can be pretty similar, of course).

In any case, I understand you are the IdP, and the problem here is that the SP can’t deal with both the SAML response and the SAML assertion being signed at the same time. That’s quite unfortunate, because that is completely allowed by the SAML specifications.

In any case, talk to your SP to learn what they want you to sign (either the response or the assertion), and change the configuration of your IdP accordingly. Remember that you can fine-tune your configuration per SP, by adding specific configuration directives to the PHP metadata corresponding to the SP instead of the hosted IdP metadata.

https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote

Out of curiosity: do you know what software the SP is running?

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Matthew Hillman]

Hi Jaime,

The service provider is Service Now, not sure what's under the hood but they use javascript scripts that can be modified by administrators to control the site, and think it might be those that parse the response.

I'll have to dig further into the IDP config to see where these options are.

Thanks for your help!

Matt

[Peter Schober]

* Matthew Hillman <mat...@intersect.org.au> [2015-11-18 05:46]:

> I'll have to dig further into the IDP config to see where these options are.

> On Friday, 13 November 2015 20:28:41 UTC+11, Jaime Pérez wrote:

> > https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
> > https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote

Jaime already pointed you to the documentation for those. Going with
per-SP config for now (to not change the way your IDP works in general):

# https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
This is a reference for metadata options available for metadata/saml20-sp-remote.php

So this is where the config parameters need to do.
And this is what you want to change/add there:

# https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote#section_2
saml20.sign.assertion
Whether <saml:Assertion> elements should be signed. Defaults to TRUE.
Note that this option also exists in the IdP-hosted metadata. The
value in the SP-remote metadata overrides the value in the IdP-hosted metadata.

or

saml20.sign.response
Whether <samlp:Response> messages should be signed. Defaults to TRUE.
Note that this option also exists in the IdP-hosted metadata. The
value in the SP-remote metadata overrides the value in the IdP-hosted metadata.

You don't even need to interact with the SP to find out which version
they can accept, just set one of those to FALSE, then try the other.
Keep the working version (doh!).
-peter

[Matthew Hillman]

Hi Peter, Jaime,

Thanks for all that. Turns out this was one of a few issues with getting it to work with the service provider. But I modified the above like you mentioned and few other configuration changes and it's now all good.

Cheers for expanding my knowledge on this part of simplesaml!

Matt