Trying to integrate a customer's Azure AD into SimpleSAMLphp 1.14.17 running as an SP. I can get this working fine with my own Azure AD, but attempting to authenticate via the customer's AD results in the error "Unable to validate Signature"
The backtrace we get on failure is
Backtrace:
0 /xxx/vendor/simplesamlphp/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Unable to validate Signature
Backtrace:
6 /xxx/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:157 (SAML2_Utils::validateSignature)
5 /xxx/vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:584 (SAML2_Assertion::validate)
4 /xxx/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php:201 (sspmod_saml_Message::checkSign)
3 /xxx/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php:552 (sspmod_saml_Message::processAssertion)
2 /xxx/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php:524 (sspmod_saml_Message::processResponse)
1 /xxx/vendor/simplesamlphp/simplesamlphp/modules/saml/www/sp/saml2-acs.php:129 (require)
0 /xxx/vendor/simplesamlphp/simplesamlphp/www/module.php:137 (N/A)
The debugging log entries leading up to his failures show tis
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Loading state: '_0b6f8ad0000e9b3cafc107aac391826798ccb266fd'
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Received SAML2 Response from 'https://sts.windows.net/xxxx-xxxx-xxxx-xxxx-xxxx/'.
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Has 3 candidate keys for validation.
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Validation with key #0 failed without exception.
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Validation with key #1 failed without exception.
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Validation with key #2 failed without exception.
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Has 3 candidate keys for validation.
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Validation with key #0 failed with exception: Unable to validate Signature
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Validation with key #1 failed with exception: Unable to validate Signature
Nov 17 13:14:32 simplesamlphp DEBUG [134d85d59d] Validation with key #2 failed with exception: Unable to validate Signature
Nov 17 13:14:32 simplesamlphp ERROR [134d85d59d] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Compare with this trace for a successful response from a different AzureAD
Nov 17 13:30:11 simplesamlphp DEBUG [134d85d59d] Received SAML2 Response from 'https://sts.windows.net/yyyy-yyyy-yyyy-yyyy-yyyy/'.
Nov 17 13:30:11 simplesamlphp DEBUG [134d85d59d] Has 3 candidate keys for validation.
Nov 17 13:30:11 simplesamlphp DEBUG [134d85d59d] Validation with key #0 failed without exception.
Nov 17 13:30:11 simplesamlphp DEBUG [134d85d59d] Validation with key #1 failed without exception.
Nov 17 13:30:11 simplesamlphp DEBUG [134d85d59d] Validation with key #2 failed without exception.
Nov 17 13:30:11 simplesamlphp DEBUG [134d85d59d] Has 3 candidate keys for validation.
Nov 17 13:30:11 simplesamlphp DEBUG [134d85d59d] Validation with key #0 succeeded.
In both cases, the Signature in the SAML response is formed in the same way:
If anyone has any thoughts on what might be happening here, they would be gratefully received. We're adding more debug tracing into the signature processing, so if that turns up something I'll report back....