Unable to validate Signature

2,849 views
Skip to first unread message

Pe!sdyr

unread,
Sep 8, 2008, 7:18:45 AM9/8/08
to simpleSAMLphp
I'm trying to login through my IdP, and I get some of the way.
However, SimpleSAMLphp is not able to validate the signature I receive
from the Idp. Instead I see the following message:

#0 D:\...\simplesamlphp\lib\SimpleSAML\XML
\SAML20\AuthnResponse.php(260): SimpleSAML_XML_Validator-
>__construct(Object(DOMElement), 'ID', '-----BEGIN CERT...') #1 D:\...
\simplesamlphp\lib\SimpleSAML\XML\SAML20\AuthnResponse.php(523):
SimpleSAML_XML_SAML20_AuthnResponse-
>validateSignature(Object(DOMElement)) #2 D:\...\simplesamlphp\www
\saml2\sp\AssertionConsumerService.php(38):
SimpleSAML_XML_SAML20_AuthnResponse->process() #3 {main}

I got the IdP's certificate in an XML file and cut and pasted it into
a idpcertificate.cer file, with the following format:

-----BEGIN CERTIFICATE---
MIIE9jC...... (cont.)
-----END CERTIFICATE-----

If I double click on the idpcertificate.cer in Windows I can see the
certificate nicely.

In my metadata\saml20-idp-remote.php file I have the following:
$metadata = array(
/*
* Login through SSO
*/
'https://someidpservername.eu' => array(
'name' => 'IdP',
'description' => 'Test against IdP',
'SingleSignOnService' => 'https://login.someidpservername.eu/idp/
SSO.saml2',
'SingleLogoutService' => 'https://login.someidpservername.eu/idp/
SLO.saml2',
'certFingerprint' => 'D567...(cont.)',
'certificate' => 'idpcertificate.crt',
)
);

The certFingerprint I copied from the same XML file.

Could it have anything to do with the IdP's public key? I have openssl
installed, but I cannot figure out how to extract the public key - or
if I actually have to do that at all.

Any suggestions? Thank you in advance.

Pe!sdyr

unread,
Sep 8, 2008, 7:52:55 AM9/8/08
to simpleSAMLphp
By the way, I'm aware of this thread:
http://groups.google.com/group/simplesamlphp/browse_thread/thread/1b6677cfb9e3dcb7
But I'm not sure if it's exactly the same issue.

ola...@stud.ntnu.no

unread,
Sep 8, 2008, 8:05:08 AM9/8/08
to simple...@googlegroups.com
On Mon, Sep 08, 2008 at 04:18:45 -0700, Pe!sdyr wrote:
>
> I'm trying to login through my IdP, and I get some of the way.
> However, SimpleSAMLphp is not able to validate the signature I receive
> from the Idp. Instead I see the following message:
>
> #0 D:\...\simplesamlphp\lib\SimpleSAML\XML
> \SAML20\AuthnResponse.php(260): SimpleSAML_XML_Validator-
> >__construct(Object(DOMElement), 'ID', '-----BEGIN CERT...') #1 D:\...
> \simplesamlphp\lib\SimpleSAML\XML\SAML20\AuthnResponse.php(523):
> SimpleSAML_XML_SAML20_AuthnResponse-
> >validateSignature(Object(DOMElement)) #2 D:\...\simplesamlphp\www
> \saml2\sp\AssertionConsumerService.php(38):
> SimpleSAML_XML_SAML20_AuthnResponse->process() #3 {main}

This is either caused by trying to validate the document with the wrong
certificate/public key, or by the certificate being invalid.

> I got the IdP's certificate in an XML file and cut and pasted it into
> a idpcertificate.cer file, with the following format:
>
> -----BEGIN CERTIFICATE---
> MIIE9jC...... (cont.)
> -----END CERTIFICATE-----

There should be five minus-signs after BEGIN CERTIFICATE, as in:
-----BEGIN CERTIFICATE-----

In addition, the certificate should be broken into short lines. The
maximum length openssl will accept is 79 characters, the default length
is 64 characters.

If you have the openssl command line tool available, you can run the
following command to verify that openssl accepts the certificate:
openssl x509 -in idpcertificate.crt

On error, it will print something like:
unable to load certificate
22923:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:753:

If it is successful, it will print the certificate.

> If I double click on the idpcertificate.cer in Windows I can see the
> certificate nicely.
>
> In my metadata\saml20-idp-remote.php file I have the following:
> $metadata = array(
> /*
> * Login through SSO
> */
> 'https://someidpservername.eu' => array(
> 'name' => 'IdP',
> 'description' => 'Test against IdP',
> 'SingleSignOnService' => 'https://login.someidpservername.eu/idp/
> SSO.saml2',
> 'SingleLogoutService' => 'https://login.someidpservername.eu/idp/
> SLO.saml2',
> 'certFingerprint' => 'D567...(cont.)',
> 'certificate' => 'idpcertificate.crt',
> )
> );
>
> The certFingerprint I copied from the same XML file.

You only need either certFingerprint or certificate. If you set both,
the certificate will be used.

Pe!sdyr

unread,
Sep 8, 2008, 8:19:59 AM9/8/08
to simpleSAMLphp
Thanks, I just found out that the cetFingerprint format was wrong. I
had it like 012345... instead of 01:23:45...
Now it works as a charm!

Thank you for your input - I knew it would be a great day today. :o)
*amazed by the great responses we get here*

Pe!sdyr

unread,
Sep 8, 2008, 8:23:15 AM9/8/08
to simpleSAMLphp
You're absolutely right! It works now, I'm able to login and to logout
- what a great feeling! :o)
Thanks again.

On Sep 8, 2:05 pm, ola...@stud.ntnu.no wrote:

m_a_tt

unread,
Feb 14, 2011, 7:41:32 PM2/14/11
to simple...@googlegroups.com
BTW - I had this issue and in my case the fingerprint was right.  Simplesamlphp was expecting a sha-1 and my IDP (Microsoft ADFS 2.0) was sending over SHA-256.

The error message is the same, as if you had a bad fingerprint...
Reply all
Reply to author
Forward
0 new messages