SSO assertion error: The SAML response failed to verify and the assertion isn't signed.

Hi -

When a customer is trying to login via SSO to our app, the following error is being generated:

“The SAML response failed to verify and the assertion isn’t signed.”

**** ComponentSpace.Saml2.Exceptions.SamlSignatureException ****
at ComponentSpace.Saml2.SamlServiceProvider.VerifySamlAssertionSignatureAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
at Tdx.Itpa.Web.Controllers.SamlController.AssertionConsumerService() in C:\a\11\s\ITPA\TdxItpaWeb\Areas\General\Controllers\SamlController.cs:line 153

Questions:

- Does this mean what is seems to: the response from the customer includes an assertion that isn’t signed?
- What is the ComponentSpace configuration that indicates whether or not our app expects the assertion to be signed?
- We have implemented SSO via ComponentSpace in standard way - as such, would that mean that WantAssertionsSigned SP configuration should be true? Relatedly, should SP configuration of AuthnRequestsSigned be false?

Thank you,

Mike Oliver
TeamDynamix, Inc.


Hi Mike,

By default we attempt to verify either the SAML response signature or the SAML assertion signature.

The message indicates that the SAML response is signed, but the signature couldn’t be verified, and the SAML assertion isn’t signed.

Signature checking is controlled by the following flags that are part of the PartnerIdentityProviderConfiguration:

WantAssertionOrResponseSigned - either the SAML assertion or response must be signed (defaults to true)

WantSamlResponseSigned - the SAML response must be signed (defaults to false)

WantAssertionSigned - the SAML assertion must be signed (defaults to false)

For most scenarios, using the default configuration of WantAssertionOrResponseSigned is recommended.

For more information regarding this configuration, please refer to the Configuration Guide.

Signing the SAML authn request is unrelated to whether the SAML assertion or response is signed.

The most likely issue is that the wrong certificate is configured for the signature verification.

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.


[quote]
ComponentSpace - 9/12/2022
Hi Mike,

By default we attempt to verify either the SAML response signature or the SAML assertion signature.

The message indicates that the SAML response is signed, but the signature couldn't be verified, and the SAML assertion isn't signed.

Signature checking is controlled by the following flags that are part of the PartnerIdentityProviderConfiguration:

WantAssertionOrResponseSigned - either the SAML assertion or response must be signed (defaults to true)

WantSamlResponseSigned - the SAML response must be signed (defaults to false)

WantAssertionSigned - the SAML assertion must be signed (defaults to false)

For most scenarios, using the default configuration of WantAssertionOrResponseSigned is recommended.

For more information regarding this configuration, please refer to the Configuration Guide.

Signing the SAML authn request is unrelated to whether the SAML assertion or response is signed.

The most likely issue is that the wrong certificate is configured for the signature verification.

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.


[/quote]

Understood. Thank you for the very helpful clarifications! We are in the process of investigating the certificate being used by the customer.

You’re welcome.