I am trying to understand why I get the error “Failed to verify signature on HTTP redirect message” when a user tries to logout from an SSO session.
It is not the first time I am using ComponentSpace SAML2 : we have a dozen of customers using the component and the login works well for them.
I suppose that there is something in the customer settings, certificate…
Can you advise what to look at and check ?
Thanks a lot
Stack Trace:
[SAMLSignatureException: Failed to verify signature on HTTP redirect message.] ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.CheckSignature(String redirectURL, String encodedSignature, String messageQueryName, AsymmetricAlgorithm key, String signatureAlgorithm) +459 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.VerifyResponseSignature(HttpRequestBase httpRequest, String signatureAlgorithm, String signature, AsymmetricAlgorithm key) +95 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.ReceiveMessage(HttpRequestBase httpRequest, XmlElement& samlMessage, String& relayState, Boolean& isRequest, Boolean& signed, AsymmetricAlgorithm key) +259 ComponentSpace.SAML2.Profiles.SingleLogout.SingleLogoutService.ReceiveLogoutMessageByHTTPRedirect(HttpRequestBase httpRequest, XmlElement& logoutMessage, String& relayState, Boolean& isRequest, Boolean& signed, AsymmetricAlgorithm key) +73
… |
The most likely cause is a configuration mismatch between the private key used by the partner to sign the message and the certificate you use to verify the signature.
Please double check with the partner that you’re using the correct certificate. If this was previously working, it’s possible they rolled over to a new certificate and didn’t mentioned this to you.
[quote]ComponentSpace - 2/15/2022
The most likely cause is a configuration mismatch between the private key used by the partner to sign the message and the certificate you use to verify the signature.
Please double check with the partner that you're using the correct certificate. If this was previously working, it's possible they rolled over to a new certificate and didn't mentioned this to you.
Does it seem to be that for you if we use the same certificate for the login and it works?
Ok, that blows that theory.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Please include both the successful SSO and failing SLO in the log.
Thanks for the logs.
The login log shows the SAML assertion is being decrypted but the SAML assertion signature isn’t being verified. Please ensure the signature is verified successfully before trusting the SAML assertion.
I grabbed the certificate embedded in the SAML assertion and was able to verify the signature of the SAML logout response using this certificate.
The correct certificate to use for verifying the SAML assertion signature and the SAML logout response signature is the ADFS signing certificate with the serial number “3eb06e5d94affd9b42b243d43ef5d82d”.
The most common reason is that you have the wrong certificate configured.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace