Neither the SAML assertion nor response is signed

Hi,

I have just change the configuration of my ASP.NET MVC serivce provider to support a different identity provider by modifying the web.config and saml.config. For a reason I cannot figure out it generates the error ‘Neither the SAML assertion nor response is signed’ when recieves the SAML response and it calls the SAMLServiceProvider.ReceiveSSO method from AssertionConsumerService() in my MVC site. Using SAML tracer, the incoming SAML response looks correct, so why is it generating the error. The singing values of the entry in the saml.conifg looks like this:

SignAuthnRequest=“false”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”

So under what circumstances would it generate this error - see attachement.

I suspect it is a configuration issue, but how does it match the incoming SAML response to the entry in the saml.conifg?

Regards,
Michael



Hi Michael
By default we expect either the SAML response or assertion to be signed.
If you want to disable this, specify WantAssertionOrResponseSigned=“false”.
However, in production you should require either the SAML response or assertion to have a verified signature.

[quote]
ComponentSpace - 7/3/2018
Hi Michael
By default we expect either the SAML response or assertion to be signed.
If you want to disable this, specify WantAssertionOrResponseSigned="false".
However, in production you should require either the SAML response or assertion to have a verified signature.
[/quote]

Hi,
I have just added this to the saml.config and it fixed the issue.
Many thanks for your help and quick response.

Regards,
Michael


You’re welcome.

[quote]
ComponentSpace - 7/3/2018
Hi Michael
By default we expect either the SAML response or assertion to be signed.
If you want to disable this, specify WantAssertionOrResponseSigned="false".
However, in production you should require either the SAML response or assertion to have a verified signature.
[/quote]

Hi Michael,

Thank you for your input, I am facing a similar issue and the error is suppressed when I add the flag you provided.
I would like to understand the root cause of the issue, is the IDP response/assertion missing the verified signature due to a setting that can be enabled in SP request, or is it up to IDP to include signatures?

I just want to ensure that this behavior is not due to a missing configuration in the original SAML request from the service provider application.

Thanks in advance,
Phaniraj

Hi Phaniraj,

Normally it’s the IdP that decides whether to sign the SAML assertion or response. There’s nothing in the SAML authn request from the SP that determines what will be signed by the IdP.