Receiving "Requester: Invalid signature" from IdP when we (SP) are using certificate & privatekey
508 views
Skip to first unread message
Sahil Sharma
Dec 20, 2020, 3:28:13 PM12/20/20
to SimpleSAMLphp
One of our clients is using Ping as their IdP and they needed a Authentication signature/ SAML Certificate for their requests. So I created a certificate for our Service Provider using the instructions mentioned here (https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_1_1).
This created two files, saml.pem & saml.crt, and I shared the public saml.crt with the client, who then uploaded this certificate into their Ping IdP and shared their metadata.xml with us.
Now when I updated this metadata in our SP application, I am not even able to access the Ping login link from our application. Simplesamlphp breaks while trying to access that page. And in the logs I found this message, "Requester: Invalid signature".
Any help would be greatly appreciated.
Thanks
Peter Schober
Dec 20, 2020, 5:17:39 PM12/20/20
to SimpleSAMLphp
* Sahil Sharma <sahilsh...@gmail.com> [2020-12-20 21:28]:
What should an "Authentication signature/ SAML Certificate" be?
And are "their requests" this should be for?
Except for SLO an IDP does not send requests, it sends reponses.
And even then the key pair or certificate an IDP would use to sign
their SLO requests would be the IDP's task, not yours.
> So I created a certificate for our Service Provider using the
> instructions mentioned here
> (https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_1_1).
> This created two files, saml.pem & saml.crt, and I shared the public
> saml.crt with the client, who then uploaded this certificate into
> their Ping IdP and shared their metadata.xml with us.
What party is "their metadata" that is being shared with you here?
The IDP's? Why would the IDP's metadata change as a result of your SP
now having a key pair (and consequently a certificate in *its* metadata)?
> Now when I updated this metadata in our SP application, I am not
> even able to access the Ping login link from our application.
Why update the IDP's metadata when only the SP metadata changed?
> Simplesamlphp breaks while trying to access that page. And in the
> logs I found this message, "Requester: Invalid signature".
I cannot make heads or tails from your earlier descriptions, so am not
in a position to suggest concrete improvements.
What kind of SAML protocol message was this? An Authentication or
Logout request? This determines the possible "Requester" who
reportedly complained about an invalid signature.
Anyway, the simple fix is very likely to put the correct certificates
into all places (i.e., let the IDP have the SP's metadata, let the SP
have the IDP's metadata) and you'll no longer have "invalid signature"
errors.
-peter
> One of our clients is using Ping as their IdP and they needed a
> Authentication signature/ SAML Certificate for their requests.
That doesn't make any sense:
> Authentication signature/ SAML Certificate for their requests.
What should an "Authentication signature/ SAML Certificate" be?
And are "their requests" this should be for?
Except for SLO an IDP does not send requests, it sends reponses.
And even then the key pair or certificate an IDP would use to sign
their SLO requests would be the IDP's task, not yours.
> So I created a certificate for our Service Provider using the
> instructions mentioned here
> (https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_1_1).
> This created two files, saml.pem & saml.crt, and I shared the public
> saml.crt with the client, who then uploaded this certificate into
> their Ping IdP and shared their metadata.xml with us.
The IDP's? Why would the IDP's metadata change as a result of your SP
now having a key pair (and consequently a certificate in *its* metadata)?
> Now when I updated this metadata in our SP application, I am not
> even able to access the Ping login link from our application.
> Simplesamlphp breaks while trying to access that page. And in the
> logs I found this message, "Requester: Invalid signature".
in a position to suggest concrete improvements.
What kind of SAML protocol message was this? An Authentication or
Logout request? This determines the possible "Requester" who
reportedly complained about an invalid signature.
Anyway, the simple fix is very likely to put the correct certificates
into all places (i.e., let the IDP have the SP's metadata, let the SP
have the IDP's metadata) and you'll no longer have "invalid signature"
errors.
-peter
Sahil Sharma
Dec 21, 2020, 12:56:57 AM12/21/20
to SimpleSAMLphp
Apologies
After reading your response, my earlier question does seem a bit confusing. I'll try again.
IdP is not sending requests, we as SP are sending requests to IdP and this certificate is used to sign those requests.
And this is a new client, so this is the first time we are getting the IdP's metadata. That is why I mentioned that after they updated the public certificate saml.crt, they sent us their metadata.xml and we updated it in our system. Their metadata didn't change as result of this certificate. We just got it for the first time.
This is a SAML 2.0 IdP remote. And this was definitely not a Logout request. Below mentioned code is where this breaks -
$authSimple = new Simple($authSource);
$authSimple->requireAuth();
$authSimple->requireAuth();
We have shared SP's public saml.crt certificate, SP's Entity ID and SP's
Assertion Consumer URL with the IdP and received IdP's metadata.xml in
return.
Is there anything I can share with you from our logs which can help you in debugging this?
Thanks
Sahil Sharma
Dec 21, 2020, 2:18:40 AM12/21/20
to SimpleSAMLphp
From logs
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] Sending SAML 2 AuthnRequest to 'https://ssoqa.paypalcorp.com'
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] Sending message:
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6a039724e99ccbb98d0804980f10c576f40cf3d02e" Version="2.0" IssueInstant="2020-12-18T21:10:22Z" Destination="https://ssoqa.paypalcorp.com/idp/SSO.saml2" AssertionConsumerServiceURL="https://sso-beta.zenarate.com/simplesaml/module.php/saml/sp/saml2-acs.php/paypal_qlj67r" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] <saml:Issuer>https://sso-beta.zenarate.com/simplesaml/module.php/saml/sp/metadata.php/paypal_qlj67r</saml:Issuer>
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] </samlp:AuthnRequest>
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] <saml:Issuer>https://sso-beta.zenarate.com/simplesaml/module.php/saml/sp/metadata.php/paypal_qlj67r</saml:Issuer>
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] </samlp:AuthnRequest>
Dec 18 21:10:22 simplesamlphp DEBUG [7aec0d03b1] Redirect to 1300 byte URL: https://ssoqa.paypalcorp.com/idp/SSO.saml2?SAMLRequest=.......
Dec 18 21:10:25 simplesamlphp DEBUG [7aec0d03b1] Received message:
Received message has a xml which contains a block called
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
<samlp:StatusMessage>Invalid signature</samlp:StatusMessage></samlp:Status>
After the received message, logs have this error backtrace
Dec 18 21:10:25 simplesamlphp DEBUG [7aec0d03b1] Received SAML2 Response from 'https://ssoqa.paypalcorp.com'.
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] Backtrace:
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 1 /simplesamlphp-sp/www/_include.php:17 (SimpleSAML_exception_handler)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 0 [builtin] (N/A)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] Caused by: SimpleSAML\Module\saml\Error: Requester: Invalid signature
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] Backtrace:
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 4 /simplesamlphp-sp/modules/saml/lib/Message.php:484 (SimpleSAML\Module\saml\Message::getResponseError)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 3 /simplesamlphp-sp/modules/saml/lib/Message.php:616 (SimpleSAML\Module\saml\Message::processResponse)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 2 /simplesamlphp-sp/modules/saml/www/sp/saml2-acs.php:141 (require)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 1 /simplesamlphp-sp/lib/SimpleSAML/Module.php:260 (SimpleSAML\Module::process)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 0 /simplesamlphp-sp/www/module.php:10 (N/A)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] Backtrace:
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 1 /simplesamlphp-sp/www/_include.php:17 (SimpleSAML_exception_handler)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 0 [builtin] (N/A)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] Caused by: SimpleSAML\Module\saml\Error: Requester: Invalid signature
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] Backtrace:
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 4 /simplesamlphp-sp/modules/saml/lib/Message.php:484 (SimpleSAML\Module\saml\Message::getResponseError)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 3 /simplesamlphp-sp/modules/saml/lib/Message.php:616 (SimpleSAML\Module\saml\Message::processResponse)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 2 /simplesamlphp-sp/modules/saml/www/sp/saml2-acs.php:141 (require)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 1 /simplesamlphp-sp/lib/SimpleSAML/Module.php:260 (SimpleSAML\Module::process)
Dec 18 21:10:25 simplesamlphp ERROR [7aec0d03b1] 0 /simplesamlphp-sp/www/module.php:10 (N/A)
Tim van Dijen
Dec 21, 2020, 4:30:39 AM12/21/20
to SimpleSAMLphp
OK, so the IDP is refusing the signature sent by the SP for the AuthnRequest.
Either they have not properly processed your certificate/metadata on their end, ór they are expecting a different signature algorithm.
Either they have not properly processed your certificate/metadata on their end, ór they are expecting a different signature algorithm.
See what they're expecting and configure your SP to use that algorithm..
- Tim
Op maandag 21 december 2020 om 08:18:40 UTC+1 schreef sahilsh...@gmail.com:
Sahil Sharma
Dec 21, 2020, 4:48:27 AM12/21/20
to simple...@googlegroups.com
How can I change our signature algorithm? I just used the openssl command mentioned in simplasamlphp installation docs. Any resources on this would be appreciated.
Thanks
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/FREWwJ3Lr9U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simplesamlphp/bd587c77-d607-4581-b866-37f7c881023en%40googlegroups.com.
Sahil Sharma
Tim van Dijen
Dec 21, 2020, 5:02:50 AM12/21/20
to SimpleSAMLphp
See '
signature.algorithm
' in the SP documentation;
- Tim
Op maandag 21 december 2020 om 10:48:27 UTC+1 schreef sahilsh...@gmail.com:
Reply all
Reply to author
Forward
0 new messages