Certification problems

[Oliver Müller]

I need some help. I always get this message:

Unable to validate Signature
#0
/intproj/users/oliver/simplesamlphp/lib/SimpleSAML/XML/SAML20/AuthnResponse.
php(179): SimpleSAML_XML_Validator->__construct(Object(DOMDocument), 'ID')
#1
/intproj/users/oliver/simplesamlphp/lib/SimpleSAML/XML/SAML20/AuthnResponse.
php(403): SimpleSAML_XML_SAML20_AuthnResponse->validateSignature() #2
/intproj/users/oliver/simplesamlphp/www/saml2/sp/AssertionConsumerService.ph
p(181): SimpleSAML_XML_SAML20_AuthnResponse->process() #3 {main}

I set up the metadata and entered a certFingerprint as well as a certificate
file name, but simplesaml is not able to find the correct cert?!?

Any ideas?

If I enter the certificate content to the xmlseclibs.php file (function
verifyOpenSSL and replace $this->key) it will work.

Thanks in advance...
Oliver

[Andreas Åkre Solberg]

Den 6. april2008 kl. 20:38 skrev Oliver Müller:

> Any ideas?

What software are you using at the IdP side?

Can you somehow get an example of the authentication response that is
sent to simpleSAMLphp, and paste it to the list?

[TEQneers - Oliver Mueller]

The IdP is a Ping Identity server.

Bescause the response is from one of our customers, I would keep it
confidential and cannot post it to the list.

Is there any way to look into simplesaml (maybe by debugging) and check,
whether its a misconfiguration, incompatibility or a bug?!?

thnx

[Paul Hethmon]

One thing I had to do which I had not done in my IdP before was to include the IdP public certificate in the response to the SP. The behavior prior to the 1.0 release is to require the public certificate in the response. SimpleSAMLphp then computes the signature from that cert and compares it to the fingerprint in the configuration file. I had not included the cert in my responses before and it could be that your IdP does not either.

Paul

[Andreas Åkre Solberg]

Den 7. april2008 kl. 16:41 skrev Paul Hethmon:

One thing I had to do which I had not done in my IdP before was to include the IdP public certificate in the response to the SP. The behavior prior to the 1.0 release is to require the public certificate in the response. SimpleSAMLphp then computes the signature from that cert and compares it to the fingerprint in the configuration file. I had not included the cert in my responses before and it could be that your IdP does not either.

Paul

Thanks Paul, you are right. Oliver, can this be the cause of your troubles?

Is there any IdP that with default configuration does not send certificate inline in the response? If so, it will be easy for us to extend simplesamlphp to handle this better. We can optionally allow including the full certificate in the idp-remote metadata file.

[Paul Hethmon]

I will just add here my reasoning for not sending the certificate in the response. As a SP, I cannot trust what is sent in the response unless I can validate the signature using information outside of the response. So while simpleSAMLphp checks the fingerprint of the included certificate against configuration (which is fully valid), I just don’t see a reason to send the certificate in the first place. Why send those bytes each time just to compute the fingerprint? Instead, the approach I took with my SP is to have the certificate read by configuration. In my case, I actually read it typically from a URL, but it’s a URL that the SP is configured to trust. It reads it one time and then caches the information. So from that point on, the SP can validate the signatures without needing the certificate in the response. Even if there were one there, it would ignore it.

Paul

[Oliver Mueller]

I have to agree to Paul's answer. It does not make sense to include
the verification object with the request. That would make signing
senseless.

The other problem is, that I have no access to the IdP anyway and
though cannot change the post.

Where should the key be loaded to the xmlseclibs.php??? I tried
everything by now and added debug output to any place where the
attribute "key" will be set, but there is nothing that is calling such
methods?!? Is it possible that this function is not included yet?



On Apr 8, 1:15 am, Paul Hethmon <paul.heth...@clareitysecurity.com>
wrote:

[Andreas Åkre Solberg]

Den 11. april2008 kl. 11:34 skrev Oliver Mueller:

> I have to agree to Paul's answer. It does not make sense to include
> the verification object with the request. That would make signing
> senseless.

Including certificate is a must when you run a CA and wants the signer
to be able to change certificates without updating metadata.

The certificate that is included is checked against the fingerprint in
the metadata which is an OK way to do signing verification.

However I totally agree that we should support including the
certificate in metadata, and support that certificate is not included
in the message. And actually, the danish developer Mads Freek told me
he has a fix for this. We hope to commit it during today.

[Andreas Åkre Solberg]

Den 8. april2008 kl. 01:15 skrev Paul Hethmon:

I will just add here my reasoning for not sending the certificate in the response. As a SP, I cannot trust what is sent in the response unless I can validate the signature using information outside of the response. So while simpleSAMLphp checks the fingerprint of the included certificate against configuration (which is fully valid), I just don’t see a reason to send the certificate in the first place. Why send those bytes each time just to compute the fingerprint? Instead, the approach I took with my SP is to have the certificate read by configuration. In my case, I actually read it typically from a URL, but it’s a URL that the SP is configured to trust. It reads it one time and then caches the information. So from that point on, the SP can validate the signatures without needing the certificate in the response. Even if there were one there, it would ignore it.

Fully agreed.

As I said in another email, Mads Freek has a fix for this, and we hope to commit it today. I'll send a notice on the mailinglist when this is ready.

[Oliver Müller]

After some discussions with our IdP, we were able to get the certificate
included within every response. It seems to be possible to tell PingIdentity
server to include this. GREAT. IT'S WORKING :-)

When a signer is changing certificates, SPs must get the certificate anyway.
They need to calculate the fingerprint and have to change the config.
Using local certs would be a really nice feature. Looking forward to your
commit, because our IdP would like to switch back and remove the cert from
the responses as soon as it will work without it.

Thnx for support!!!

On 18.04.08 07:30, "Andreas Åkre Solberg" <andreas...@uninett.no>
wrote:

>

[Paul Hethmon]

Right. Since the fingerprint has to be put into the local SP configuration
information by an outside channel (ie not the response), it makes sense to
just go ahead and put the certificate there in the first place.

Paul

On 4/18/08 1:30 AM, "Andreas Åkre Solberg" <andreas...@uninett.no>
wrote:

>

[Nicholas Amon]

It looks like this wasn't committed?   I have an IdP that is not sending the certificate with the assertion response and the SAML 1.0 ACS is failing to validate it with the following error:

Caused by: Exception: Unable to validate Signature
Sep 03 19:24:12 simplesamlphp ERROR [877eb7c36c] 3 simplesaml/lib/SimpleSAML/XML/Validator.php:120 (SimpleSAML_XML_Validator::__construct)
Sep 03 19:24:12 simplesamlphp ERROR [877eb7c36c] 2 simplesaml/lib/SimpleSAML/XML/Shib13/AuthnResponse.php:85 (SimpleSAML_XML_Shib13_AuthnResponse::validate)

Any ideas?

Thanks

[Jaime Pérez Crespo]

Hi Nicholas,

On 03 Sep 2014, at 21:59 pm, Nicholas Amon <nichol...@gmail.com> wrote:
> It looks like this wasn't committed? I have an IdP that is not sending the certificate with the assertion response and the SAML 1.0 ACS is failing to validate it with the following error:
>
> Caused by: Exception: Unable to validate Signature
> Sep 03 19:24:12 simplesamlphp ERROR [877eb7c36c] 3 simplesaml/lib/SimpleSAML/XML/Validator.php:120 (SimpleSAML_XML_Validator::__construct)
> Sep 03 19:24:12 simplesamlphp ERROR [877eb7c36c] 2 simplesaml/lib/SimpleSAML/XML/Shib13/AuthnResponse.php:85 (SimpleSAML_XML_Shib13_AuthnResponse::validate)
>
> Any ideas?

Don’t rely on PKI for that. As far as I know, SimpleSAMLphp does not support that, and neither do other products. Almost everybody uses self-signed certificates for this, as the trust is not on a third-party, but in the metadata you consume.

That said, your problem is probably due to a misconfiguration of SimpleSAMLphp. Make sure that the certificate they are using to sign responses is the same you have configured in your remote metadata.

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost