Reference validation failed using simpleSAMLphp as SP to Sun OpenSSO idP
3,279 views
Skip to first unread message
Shari Harper
Jul 30, 2013, 5:10:35 PM7/30/13
to simple...@googlegroups.com
I'm getting a "Reference validation failed" error when attempting to authenticate simpleSAMLphp as a SP with Sun's OpenSSO idP. Sample request and response are below as well as log info. Was hoping someone may be able to give a newbie some pointers on what the problem may be?
Thanks!
PHP Version 5.3.24
libxml Version 2.7.6
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_f73604b02c5c46086fdaf7217e486ff9bc77069262"
Version="2.0"
IssueInstant="2013-07-30T17:44:38Z"
AssertionConsumerServiceURL="https://spserverexample.com/simpleSAML/module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://spserverexample.com/simpleSAML/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="true"
/>
</samlp:AuthnRequest>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s298390df7cd0f3cc5ec7bf701f9fc1f61204d9349"
InResponseTo="_f73604b02c5c46086fdaf7217e486ff9bc77069262"
Version="2.0"
IssueInstant="2013-07-30T17:44:39Z"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idpserverexample.com</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s269c1aec3d7d4f02963eee265a63ca518d2ff13ab"
IssueInstant="2013-07-30T17:44:39Z"
Version="2.0"
>
<saml:Issuer>idpserverexample.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#s269c1aec3d7d4f02963eee265a63ca518d2ff13ab">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>7yA//9MU5gbJDCLYv1coPBpGXbI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
pvEkcYTkZGcubIbFqjYyAyEvl1iYA5ykfRsWnkru2moQi7IZ+FbwL5gXnFWREtA0weBuwxNCecgu
rcoAfmKN+OBCj1/Dhhao9w92o+vE775wnVz17dNOzZXsbE3zXg8y9gN/3apb+0UxBkP+ZSrgDipM
-----snip-----
hDkQ8/Jhei/tEpzuC3mDdvDZspgHWIw0ce6gNe58wYw0L4VEQWQdoceyOpglSO0IfyFSX+vHKO/S
FcDxeqFKBGM/cbyf5zODggMa0nRZ/w0sPVrv/w==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFNTCCBB2gAwIBAgIETBsZhDANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNV
BAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jw
-----snip-----
MdXPn9Hm2SDeyvwEl58byM0hJQzC8san+/jtTEFhwtBHZJsob9OIJ5lwMF1nUyux4mWpfILssQ3M
Piyp6IThAKsLTv2Qz+Xd5kgcyBK83wY6IHeQ2HpN+kfATurk/NPkpO7GjJjlTSZHbTjzOeRCIazZ
wEIr4QN5IlfnVXLHF0Bw+EmaRHSzp8ajBcA=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="idpserverexample.com"
>UjgtMI4QF8+qbF2dsTaoOTVT/gLY</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_f73604b02c5c46086fdaf7217e486ff9bc77069262"
NotOnOrAfter="2013-07-30T17:54:39Z"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-07-30T17:34:39Z"
NotOnOrAfter="2013-07-30T17:54:39Z"
>
<saml:AudienceRestriction>
<saml:Audience>https://spserverexample.com/simpleSAML/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-07-30T16:30:26Z"
SessionIndex="s29d174765cd301582d385cc0c419adcd62fc86601"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="lastName">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>XXXXXXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>XXXXXXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="firstName">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>XXXXXXX</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /data/web/scripts/phpSAML/www/module.php:180 (N/A)
Caused by: Exception: Reference validation failed
Backtrace:
8 /data/web/scripts/phpSAML/lib/xmlseclibs.php:1056 (XMLSecurityDSig::validateReference)
7 /data/web/scripts/phpSAML/lib/SAML2/Utils.php:52 (SAML2_Utils::validateElement)
6 /data/web/scripts/phpSAML/lib/SAML2/Assertion.php:469 (SAML2_Assertion::parseSignature)
5 /data/web/scripts/phpSAML/lib/SAML2/Assertion.php:240 (SAML2_Assertion::__construct)
4 /data/web/scripts/phpSAML/lib/SAML2/Response.php:37 (SAML2_Response::__construct)
3 /data/web/scripts/phpSAML/lib/SAML2/Message.php:471 (SAML2_Message::fromXML)
2 /data/web/scripts/phpSAML/lib/SAML2/HTTPPost.php:76 (SAML2_HTTPPost::receive)
1 /data/web/scripts/phpSAML/modules/saml/www/sp/saml2-acs.php:16 (require)
0 /data/web/scripts/phpSAML/www/module.php:135 (N/A)
Marco Ferrante
Aug 1, 2013, 2:24:12 AM8/1/13
to simple...@googlegroups.com
The message "Reference validation failed" is raised when the signature
is not validated.
Il 30/07/2013 23:10, Shari Harper ha scritto:
> I'm getting a "Reference validation failed" error when attempting to
> authenticate simpleSAMLphp as a SP with Sun's OpenSSO idP. Sample
> request and response are below as well as log info. Was hoping someone
> may be able to give a newbie some pointers on what the problem may be?
>
> Thanks!
>...
is not validated.
Il 30/07/2013 23:10, Shari Harper ha scritto:
> I'm getting a "Reference validation failed" error when attempting to
> authenticate simpleSAMLphp as a SP with Sun's OpenSSO idP. Sample
> request and response are below as well as log info. Was hoping someone
> may be able to give a newbie some pointers on what the problem may be?
>
> Thanks!
Brenda Thompson
Aug 1, 2013, 11:37:36 AM8/1/13
to simple...@googlegroups.com
If you look at this doc.. http://www.w3.org/TR/xmldsig-core
You will find this:
"The required SignedInfo element is the information that is actually signed. Core validation of SignedInfo consists of two mandatory processes: validation of the signature over SignedInfo and validation of each Reference digest within SignedInfo. Note that the algorithms used in calculating the SignatureValue are also included in the signed information while the SignatureValue element is outside SignedInfo."
From the error you received (Reference validation failed) it should be failing the "validation of each Reference digest within SignedInfo".
The “Vallidation Reference” is defined as
Validation, Reference
The hash value of the identified and transformed content, specified by Reference, matches its specified DigestValue.
Your algorithm is sha1:
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>7yA//9MU5gbJDCLYv1coPBpGXbI=</ds:DigestValue>
So the result from the sha1 hash didn’t match the digest value passed in.
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.
Shari Harper
Aug 2, 2013, 10:58:58 AM8/2/13
to simple...@googlegroups.com, brenda....@azukisystems.com
Thank you so much, this is all pretty new to me so I really appreciate your guidance on that!
Peter Schober
Aug 2, 2013, 12:02:33 PM8/2/13
to simple...@googlegroups.com
* Shari Harper <sharily...@gmail.com> [2013-08-02 16:59]:
You shoud know how to resolve a failing signature validation,
though. Since the vailidation failed at the SP check the metadata you
have from the IDP and verify it's correct with the IdP.
-peter
> Thank you so much, this is all pretty new to me so I really appreciate
> your guidance on that!
You shouldn't need to know any of that only to federate with SAML.
> your guidance on that!
You shoud know how to resolve a failing signature validation,
though. Since the vailidation failed at the SP check the metadata you
have from the IDP and verify it's correct with the IdP.
-peter
Sebastian Gonzalez
Sep 9, 2015, 2:41:31 PM9/9/15
to SimpleSAMLphp
Hi Shari, have you ever fix this problem? I am facing the same issue...
Reply all
Reply to author
Forward
0 new messages