Implemting a Service Provider. ReceiveSSO gives the error: The SAML response isn't signed

So long as I have my SAML.config information for PartnerIdentityProvider to indicate that I don’t want the response to be signed, I have been able to get up and running with my organization’s identity provider just fine. Using SSOTracer in firefox, I can see that the response does indeed have a certificate, and I have verified that the certificate contents match the contents that I have in the root of my MVC application (idp.cer). From everything I can see, I should have a matching certificate to the one coming from my identity provider, but ReceiveSSO fails if I set the config to require a signed response.

Here is the SAML that I am receiving from the Identity provider (sanitized to remove any sensitive data)

<samlp:Response xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
ID=“s219873d3091bb908ee2178472917286104d932e27”
InResponseTo=“_371fa8d0-ce88-494e-b0ee-e25318b61c38”
Version=“2.0”
IssueInstant=“2015-01-15T22:28:12Z”
Destination=“<a href=“http://localhost:8000/Auth/Receive””>http://localhost:8000/Auth/Receive"
>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>–removed–</saml:Issuer>
<samlp:Status xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<samlp:StatusCode xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
Value=“urn:oasis:names:tc:SAML:2.0:status:Success”
/>
</samlp:Status>
<saml:Assertion xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”
ID=“s29947f21667d2aac359ee7e8ab2a3173299ce175f”
IssueInstant=“2015-01-15T22:28:12Z”
Version=“2.0”
>
saml:IssuergotTheNameRight</saml:Issuer>
<ds:Signature xmlns:ds=“”>http://www.w3.org/2000/09/xmldsig#“>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=”<a href=“http://www.w3.org/2001/10/xml-exc-c14n#”“>http://www.w3.org/2001/10/xml-exc-c14n#” />
<ds:SignatureMethod Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1"”>http://www.w3.org/2000/09/xmldsig#rsa-sha1” />
<ds:Reference URI=“#s29947f21667d2aac359ee7e8ab2a3173299ce175f”>
ds:Transforms
<ds:Transform Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#enveloped-signature””>http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm=“<a href=“http://www.w3.org/2001/10/xml-exc-c14n#””>http://www.w3.org/2001/10/xml-exc-c14n#“ />
</ds:Transforms>
<ds:DigestMethod Algorithm=”<a href=“http://www.w3.org/2000/09/xmldsig#sha1"”>http://www.w3.org/2000/09/xmldsig#sha1" />
ds:DigestValuezgATTUCLT1EHftyOUZwzZhEZw3k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValue
–Removed–
</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509Certificate
Removed but I actually direct coppied the real value and pasted it into the idp.cer file in between the begin and end comment dealios in that actual file.
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
NameQualifier=“gotTheNameRight”
>3445376629984011</saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData InResponseTo=“_371fa8d0-ce88-494e-b0ee-e25318b61c38”
NotOnOrAfter=“2015-01-15T22:38:12Z”
Recipient=“<a href=“http://localhost:8000/Auth/Receive””>http://localhost:8000/Auth/Receive"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=“2015-01-15T22:18:12Z”
NotOnOrAfter=“2015-01-15T22:38:12Z”
>
saml:AudienceRestriction
saml:Audienceteacherapp-localdev</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=“2015-01-15T22:27:17Z”
SessionIndex=“s22f1b0a2660c5d0cf571740a4b5fe50f232857c04”
>
saml:AuthnContext
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
saml:AttributeStatement
<saml:Attribute Name=“policy-givenname”>
<saml:AttributeValue xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema””>http://www.w3.org/2001/XMLSchema"
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance””>http://www.w3.org/2001/XMLSchema-instance"
xsi:type=“xs:string”
>Daniel</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“policy-sn”>
<saml:AttributeValue xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema””>http://www.w3.org/2001/XMLSchema"
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance””>http://www.w3.org/2001/XMLSchema-instance"
xsi:type=“xs:string”
>Staten</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“policy-workforceid”>
<saml:AttributeValue xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema””>http://www.w3.org/2001/XMLSchema"
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance””>http://www.w3.org/2001/XMLSchema-instance"
xsi:type=“xs:string”
>–removed–</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“policy-cn”>
<saml:AttributeValue xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema””>http://www.w3.org/2001/XMLSchema"
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance””>http://www.w3.org/2001/XMLSchema-instance"
xsi:type=“xs:string”
>dannystaten</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“policy-ldsaccountid”>
<saml:AttributeValue xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema””>http://www.w3.org/2001/XMLSchema"
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance””>http://www.w3.org/2001/XMLSchema-instance"
xsi:type=“xs:string”
>–removed–</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>


Here is the saml config for our identity provider
<PartnerIdentityProvider Name=“gotTheNameRight”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“<a href=“https://urldoeswork””>https://urldoeswork"
SingleLogoutServiceUrl=“<a href=“https://differenturl””>https://differenturl"
PartnerCertificateFile=“idp.cer”/>

As I said, the SAML sign on experience works flawlessly until I tell my code that receives to require the signature on the response. From everything I can see the signature is in the response, and I am configured correctly to accept the signature that has been returned. Is there something about the signature value that I need to match in my configuration?

Signature verification fails because either the XML has been modified after signing or the wrong certificate is used.
As an experiment, in your , remove the PartnerCertificate attribute and instead specify UseEmbeddedCertificate=“true”.

<PartnerIdentityProvider Name=“gotTheNameRight”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“https://urldoeswork
SingleLogoutServiceUrl=“https://differenturl
UseEmbeddedCertificate=“true”/>

This specifies to use the certificate embedded in the XML signature rather than a separate certificate file.
If this works then it means the idp.cer file is incorrect.
If this doesn’t work, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com. Also, include the idp.cer file but rename it to idp.txt.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace

I just emailed support a log file. The problem is happening regardless of if I use the file or set it to use the embedded certificate.
Thanks,

Danny

Thanks for sending the log. I extracted the SAML response and ran our VerifySAML utility to check the XML signature.

VerifySAML.exe samlresponse.xml
Loading samlresponse.xml
Verifying SAML message
The SAML message isn’t signed
Verifying SAML assertion
Verified: True

The SAML response isn’t signed. Rather, the SAML assertion is signed instead.
In your configuration you should set WantSAMLResponseSigned to false and WantAssertionSigned to true.

<PartnerIdentityProvider Name=“gotTheNameRight”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“<a href=“https://urldoeswork/” “=””><a href=“https://urldoeswork”“>https://urldoeswork
SingleLogoutServiceUrl=“<a href=“https://differenturl/” “=””><a href=“https://differenturl”“>https://differenturl
PartnerCertificateFile=“idp.cer”/>

Thanks so much! That did it.