Shibboleth and Exception: Unable to validate Signature
873 views
Skip to first unread message
Higo Felipe
Apr 23, 2014, 6:53:56 PM4/23/14
to simple...@googlegroups.com
Hello,
I added an IdP Shibboleth as a remote IdP for a well configured SP SimpleSAMLphp(saml20-idp-remote.php). When I select the IdP(Authentication->Test configured authentication sources->default-sp->GID Lab), I can go normally to the Shibboleth login screen:
But when I try to login, appears a error message:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 0 /var/simplesamlphp/www/module.php:180 (N/A) Caused by: Exception: Unable to validate Signature Backtrace: 6 /var/simplesamlphp/lib/SAML2/Utils.php:149 (SAML2_Utils::validateSignature) 5 [builtin] (call_user_func) 4 /var/simplesamlphp/lib/SAML2/Message.php:210 (SAML2_Message::validate) 3 /var/simplesamlphp/modules/saml/lib/Message.php:185 (sspmod_saml_Message::checkSign) 2 /var/simplesamlphp/modules/saml/lib/Message.php:514 (sspmod_saml_Message::processResponse) 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (require) 0 /var/simplesamlphp/www/module.php:135 (N/A)
What could be wrong on my configuration?
Best regards,
H.
Peter Schober
Apr 24, 2014, 4:20:24 AM4/24/14
to simple...@googlegroups.com
* Higo Felipe <higof...@gmail.com> [2014-04-24 00:54]:
How exactly did you do that?
> Caused by: Exception: Unable to validate Signature
Seems the IDP signed the SAML assertion (or response) with a key that
SSP does not have available. So I'd say the metadata you have for the
IDP is wrong. (Or the other way round: The IDP is misconfigured and
does not use what it publishes in metadata to you.)
-peter
> I added an IdP Shibboleth as a remote IdP for a well configured SP
> SimpleSAMLphp(*saml20-idp-remote.php*).
How exactly did you do that?
> Caused by: Exception: Unable to validate Signature
SSP does not have available. So I'd say the metadata you have for the
IDP is wrong. (Or the other way round: The IDP is misconfigured and
does not use what it publishes in metadata to you.)
-peter
Higo Felipe
Apr 24, 2014, 2:09:28 PM4/24/14
to simple...@googlegroups.com, peter....@univie.ac.at
How exactly did you do that?
I converted the SAML metadata to PHP metadata, using the SSP's native parser.
> Caused by: Exception: Unable to validate Signature
Seems the IDP signed the SAML assertion (or response) with a key that
SSP does not have available. So I'd say the metadata you have for the
IDP is wrong. (Or the other way round: The IDP is misconfigured and
does not use what it publishes in metadata to you.)
-peter
So, how can I fix this?
Peter Schober
Apr 24, 2014, 2:12:35 PM4/24/14
to simple...@googlegroups.com
* Higo Felipe <higof...@gmail.com> [2014-04-24 20:09]:
for the IDP does not match the signature created by the IDP.
So either the metadata is wrong or the IDP is misconfigured.
Both probably involve checking with the IDP.
-peter
> So, how can I fix this?
The only thing we "know" is that the certificate you have in metadata
for the IDP does not match the signature created by the IDP.
So either the metadata is wrong or the IDP is misconfigured.
Both probably involve checking with the IDP.
-peter
Peter Schober
Apr 26, 2014, 2:18:13 PM4/26/14
to simple...@googlegroups.com
No need to Cc me on every email, I'm following this list.
* Higo Felipe <higof...@gmail.com> [2014-04-25 21:21]:
not schema-valid, due to an incorrect X509Certificate in the
IDPSSODescriptor.
You'll notice that it is not exactly the same as in the
AttributeAuthorityDescriptor because the first two characters are
missing ("MI..."). If you add those (to match the cert in the AA role)
the metadata validates and I fully expect your signature validation
problem in SSP to disappear then (i.e., after you fix it in your
saml20-idp-remote.php as well, or reimport the SAML 2.0 metadata to
achieve the same thing).
This is likely the result of a copy&paste error, since I doubt the
Shibboleth IDP software would make such an error and this to go
unnoticed so far.
Unrelated to this problem but still an issue: the "FedLABSAC" IDP you
also list in your saml20-idp-remote.php seems to be using the old
SimpleSAMLphp /default/ keypair, to which the private key is published
in the public source repository. Obviously using a private key that is
widely published and available on the Internet will not give you any
real security. So this IDP should get itself a new keypair ASAP.
-peter
* Higo Felipe <higof...@gmail.com> [2014-04-25 21:21]:
> Peter, I redid the process, and the error persists. I'm sending my metadata
> files to help troubleshoot the problem.
The metadata for the IDP is wrong. The SAML 2.0 metadata you sent is
> files to help troubleshoot the problem.
not schema-valid, due to an incorrect X509Certificate in the
IDPSSODescriptor.
You'll notice that it is not exactly the same as in the
AttributeAuthorityDescriptor because the first two characters are
missing ("MI..."). If you add those (to match the cert in the AA role)
the metadata validates and I fully expect your signature validation
problem in SSP to disappear then (i.e., after you fix it in your
saml20-idp-remote.php as well, or reimport the SAML 2.0 metadata to
achieve the same thing).
This is likely the result of a copy&paste error, since I doubt the
Shibboleth IDP software would make such an error and this to go
unnoticed so far.
Unrelated to this problem but still an issue: the "FedLABSAC" IDP you
also list in your saml20-idp-remote.php seems to be using the old
SimpleSAMLphp /default/ keypair, to which the private key is published
in the public source repository. Obviously using a private key that is
widely published and available on the Internet will not give you any
real security. So this IDP should get itself a new keypair ASAP.
-peter
Sri Priya
Apr 4, 2016, 8:07:33 AM4/4/16
to SimpleSAMLphp, peter....@univie.ac.at
Hi,
I am getting a similar error "Unable to Validate Signature" while trying to login in shibboleth IDP. Please let me know how i can proceed.
I see the keys in (Shibboleth IDP) idp-metadata.xml and (SimpleSamlphp) saml20-idp-remote.php are similar. I am stuck on this issue.
Apr 04 07:07:21 simplesamlphp DEBUG [26fd7321da] Decryption with key #0 succeeded.
Apr 04 07:07:21 simplesamlphp DEBUG [26fd7321da] Has 1 candidate keys for validation.
Apr 04 07:07:21 simplesamlphp DEBUG [26fd7321da] Validation with key #0 failed with exception: Unable to validate Signature
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] Backtrace:
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] 0 /simplesamplehome/3rd-party/simplesamlphp/www/module.php:179 (N/A)
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] Caused by: Exception: Unable to validate Signature
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] Backtrace:
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] 6 /simplesamplehome/3rd-party/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:158 (SAML2_Utils::validateSignature)
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] 5 /simplesamplehome/3rd-party/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:542 (SAML2_Assertion::validate)
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] 4 /simplesamplehome/3rd-party/simplesamlphp/modules/saml/lib/Message.php:194 (sspmod_saml_Message::checkSign)
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] 3 /simplesamplehome/3rd-party/simplesamlphp/modules/saml/lib/Message.php:545 (sspmod_saml_Message::processAssertion)
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] 2 /simplesamplehome/3rd-party/simplesamlphp/modules/saml/lib/Message.php:517 (sspmod_saml_Message::processResponse)
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] 1 /simplesamplehome/3rd-party/simplesamlphp/modules/saml/www/sp/saml2-acs.php:96 (require)
Apr 04 07:07:21 simplesamlphp ERROR [26fd7321da] 0 /simplesamplehome/3rd-party/simplesamlphp/www/module.php:134 (N/A)
Thanks
Peter Schober
Apr 4, 2016, 8:21:23 AM4/4/16
to SimpleSAMLphp
* Sri Priya <sripri...@gmail.com> [2016-04-04 14:07]:
be the same: If the signature from the IDP cannot be validated then
the metadata is wrong. (There are no interoperability problems between
Shibboleth and SimplesAMLphp, so it's a configuration problem.)
-peter
> I am getting a similar error "Unable to Validate Signature" while
> trying to login in shibboleth IDP. Please let me know how i can
> proceed.
You're replying to a 2-year old thread. Other than that the reply will
> trying to login in shibboleth IDP. Please let me know how i can
> proceed.
be the same: If the signature from the IDP cannot be validated then
the metadata is wrong. (There are no interoperability problems between
Shibboleth and SimplesAMLphp, so it's a configuration problem.)
-peter
Reply all
Reply to author
Forward
0 new messages