Hi,
We are using Component Space v2.1 and setup as Idp for SSO Initiation. The signing certificate information used for signing and verification at Sp all seems aligned but SAML response always fails to validate the signature at SP site.
SP is also using component space library but different version - v2.6.0.21 currently and according to them (SP) the request fails at SAMLServiceProvider.ReceiveSSO() which throws a SAMLSignatureException (The SAML assertion signature failed to verify)
Kindly provide your suggestion.
Attached the logs from SP site.
I was able to verify the signature so I think the issue is at the SP side.
One possible workaround is to sign the SAML response rather than the SAML assertion. This would require a configuration change at the IdP and SP.
Otherwise, please ask the SP to contact support@componentspace.com mentioning this forum post.
Hi. I am from the SP referred to in the original post and I would like a bit more info on how you verified the signature from the log file. The steps I have taken (using the log file from the original post) are:
1) Extract the base64 encoded SAMLResponse from the log file and decode it to produce the attached SAMLResponse.xml.
2) Extract the base64 encode X509 certificate from the SAML Response to produce the attached SAMLCertificate.cer (.txt added to allow file to be attached).
3) Pass these two files into the VerifySAML example app provided with the ComponentSpace libray using “VerifySAML.exe -c SAMLCertificate.cer SAMLResponse.xml”.
The signature verification failed as shown in the attached VerifySAML.png.
Any idea why the verification is failing for me (and using the online SAML verification tool at <ahref=“https: urldefense.proofpoint.com=”" v2=“” url?u=“https-3A__www.samltool.com_validate-5Fresponse.php&d=DwMFAg&c=KBNavS4imt6liQAiYrIso_AWHVuxKUh5t9r9Wck8xQk&r=TljWeHo9CCyLNl7xoEwvophQi9mzBgT5m-zVTCvD5pw&m=Yc-DtdGs9ifk3Ym8A-MYshiAkxg8bEdEVgOtrLDsMGY&s=UPrvTeTLl-HhMOk4Bk6C2iDLi3ck45g1p7uyMWnmXF8&e="”>https://www.samltool.com/validate_response.php) but you are able to verify it?
Thanks
Graham
</ahref="https:>
Minor follow-up. I also tried using VerifySAML with no certificate file (i.e. using the certificate in the request) with the same results. I have also attached the SAML trace log file for VerifySAML.
I have just tried verifying the signature using the latest version (V2.8.7) of the library and it works. Looking at the V2.6.0.21 log file attached to the previous post it seems that the problem is in the signature element and I note that the change log indicates that there were some issues with namespaces and signature verification (possibly related to a bug int he MS SignedXml class) and V2.8.7 includes a fix/workaround. Could be the problem?
Graham
Yes, it could be.
A workaround is to sign the SAML response rather than the SAML assertion.
Otherwise, please ask the SP to contact us mentioning this forum post. They might have to upgrade to the latest release.
We have updated to V2.8.7 and that does seem to have resolved the problem. IT would appear that V2.6.0.21 is not compatible with some older versions of the library.
Thanks
Graham
Yes. There was an issue with verifying some XML signatures that was addressed in a later release.