Response doesn't have any valid assertion which would pass subject validation

Washington_Michael · August 28, 2018, 5:00pm

When connecting to a partner they get the following error:

[2018-08-08 14:41:08,812] [http-nio-9080-exec-6] INFO o.s.s.saml.log.SAMLDefaultLogger - AuthNResponse;FAILURE;156.3.211.241;achieve3000-saml;https://XXXX.azurewebsites.net;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)

They told me:

There is no element at all in this response (neither in the element nor in the element), so we have no way to verify that is issued by the IdP (you). Please add the Signature element and try again.

My configuration looks like this:

{
"Name": "achieve3000-saml",
"Description": "Achieve3000",
"WantAuthnRequestSigned": false,
"SignSamlResponse": false,
"AssertionConsumerServiceUrl": "https://saml-v2.achieve3000.com/saml/SSO",
"SingleLogoutServiceUrl": "",
"DisableDestinationCheck": true,
"DisableRecipientCheck": true,
"PartnerCertificates": []
}

My code to initiate SSO looks like this:

string userName = "Test User";

var attributes = new List()
{
new SamlAttribute(ClaimTypes.Email, "Test User@XXXXXXXX.net")
};

await _samlIdentityProvider.InitiateSsoAsync("achieve3000-saml", userName, attributes, null);

I am unsure how to resolve this.
Thank You

ComponentSpace · August 28, 2018, 5:17pm

Signature generation is controlled through configuration.
Currently you have SignSamlResponse set to false.
Set this to true to have the SAML response signed.
Alternatively, set SignAssertion to true to have the SAML assertion signed.
Signatures are generated using the LocalIdentityProviderConfiguration’s LocalCertificate (eg your PFX file).
The SP will need the corresponding CER file to verify the signature.

Washington_Michael · August 29, 2018, 2:56pm

[quote]

ComponentSpace - 8/28/2018

Signature generation is controlled through configuration.
Currently you have SignSamlResponse set to false.
Set this to true to have the SAML response signed.
Alternatively, set SignAssertion to true to have the SAML assertion signed.
Signatures are generated using the LocalIdentityProviderConfiguration's LocalCertificate (eg your PFX file).
The SP will need the corresponding CER file to verify the signature.

[/quote]

That fixed the problem!
Thank You!

ComponentSpace · August 29, 2018, 3:07pm

You’re welcome.