Hey Community,
We are having difficulties configuring SSO for a customer. We are mostly experienced with ADFS and Azure AD, this client has a custom SAML solution. I think we may have our configuration incorrect, we receive the error below:
“The SAML assertion isn’t encrypted.”
Below is the masked meta file we received from the client. The masked saml.config file is also below, we tried using an ADFS formatted config file and an Azure AD formatted config file. Any help would be appreciated, thank you.
Meta File:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md=“urn:oasis:names:tc:SAML:2.0:metadata” validUntil=“2017-11-18T22:06:04Z” cacheDuration=“PT1511474764S” entityID=“subdomain.mysite.com”>
<md:IDPSSODescriptor WantAuthnRequestsSigned=“true” protocolSupportEnumeration=“urn:oasis:names:tc:SAML:2.0:protocol”>
<md:KeyDescriptor use=“signing”>
<ds:KeyInfo xmlns:ds=“”>http://www.w3.org/2000/09/xmldsig#“>
ds:X509Data
ds:X509Certificate********</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use=“encryption”>
<ds:KeyInfo xmlns:ds=”“>http://www.w3.org/2000/09/xmldsig#”>
ds:X509Data
ds:X509Certificate*</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=“”>https://subdomain.mysite.com/samlsso"/>
md:NameIDFormaturn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=“”>https://subdomain.mysite.com/samlsso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Saml.config File Attempt 1
<?xml version="1.0"?>
<ServiceProvider Name=“mysite.com”
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService.aspx”
LocalCertificateFile=“SAML\clientcertificate.pfx”
LocalCertificatePassword="“/>
<PartnerIdentityProvider Name=“subdomain.mysite.com”
SignAuthnRequest=“true”
SignLogoutRequest=“true”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantAssertionEncrypted=“true”
WantLogoutResponseSigned=“false”
UseEmbeddedCertificate=“true”
SingleSignOnServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
SingleSignOnServiceUrl=”<a href=“https://subdomain.mysite.com/samlsso”“>https://subdomain.mysite.com/samlsso”
SingleLogoutServiceUrl=“”>https://subdomain.mysite.com/samlsso"/>
Saml.config File Attempt 2
<?xml version="1.0"?>
<ServiceProvider Name=“mysite.com”
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService.aspx” />
<PartnerIdentityProvider Name=“subdomain.mysite.com”
SignAuthnRequest=“true”
SignLogoutRequest=“true”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“true”
WantAssertionEncrypted=“true”
WantLogoutResponseSigned=“true”
UseEmbeddedCertificate=“true”
SingleSignOnServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
SingleSignOnServiceUrl=“<a href=“https://subdomain.mysite.com/samlsso””>https://subdomain.mysite.com/samlsso"
SingleLogoutServiceUrl=“<a href=“https://subdomain.mysite.com/samlsso””>https://subdomain.mysite.com/samlsso"
PartnerCertificateFile=“SAML\clientcertificate.cer”
/>
You’ll receive this error if WantAssertionEncrypted is true and the received SAML assertion is not encrypted.
What happens if you set WantAssertionEncrypted to false?
If there’s still an issue, you’re welcome to enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Please mention your forum post as well.
What happens if you set WantAssertionEncrypted to false?
If there's still an issue, you're welcome to enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Please mention your forum post as well.
Thank you for the information, which format should we use if we want WantAssertionEncrypted = true?
File Attempt 1 format or File Attempt 2 format?
Try the first one with a couple of updates.
Normally either the SAML response or SAML assertion is signed but not both.
If you get an error saying the SAML assertion isn’t signed, try setting WantSAMLResponseSigned to true and WantAssertionSigned to false.
Remove UseEmbeddedCertificate as this is only for testing/debugging. You should use the PartnerCertificateFile for signature verification.
Create the partner certificate file by using Notepad etc to copy the base-64 string between the signing tags in the IdP metadata to a .cer file.
The IdP’s single sign-on service supports HTTP-Redirect so you don’t need to specify HTTP-Post.
<PartnerIdentityProvider Name=“subdomain.mysite.com”
SignAuthnRequest=“true”
SignLogoutRequest=“true”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantAssertionEncrypted=“false”
WantLogoutResponseSigned=“false”
SingleSignOnServiceUrl=“<a href=“https://subdomain.mysite.com/samlsso” “=”” title=“https://subdomain.mysite.com/samlsso” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; font-family: Arial; vertical-align: baseline; text-decoration: underline !important; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);”><a href=“https://subdomain.mysite.com/samlsso”“>https://subdomain.mysite.com/samlsso”
SingleLogoutServiceUrl=“”=“” title=“https://subdomain.mysite.com/samlsso” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; font-family: Arial; vertical-align: baseline; text-decoration: underline !important; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);”><a href=“https://subdomain.mysite.com/samlsso”“>https://subdomain.mysite.com/samlsso”
PartnerCertificateFile=“certificates\mysite.cer”/>
Normally either the SAML response or SAML assertion is signed but not both.
If you get an error saying the SAML assertion isn't signed, try setting WantSAMLResponseSigned to true and WantAssertionSigned to false.
Remove UseEmbeddedCertificate as this is only for testing/debugging. You should use the PartnerCertificateFile for signature verification.
Create the partner certificate file by using Notepad etc to copy the base-64 string between the signing tags in the IdP metadata to a .cer file.
The IdP's single sign-on service supports HTTP-Redirect so you don't need to specify HTTP-Post.
<PartnerIdentityProvider Name="subdomain.mysite.com"
SignAuthnRequest="true"
SignLogoutRequest="true"
WantSAMLResponseSigned="false"
WantAssertionSigned="true"
WantAssertionEncrypted="false"
WantLogoutResponseSigned="false"
SingleSignOnServiceUrl="https://subdomain.mysite.com/samlsso"
SingleLogoutServiceUrl=""="" title="https://subdomain.mysite.com/samlsso" target="_blank" style="margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; font-family: Arial; vertical-align: baseline; text-decoration: underline !important; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);">https://subdomain.mysite.com/samlsso"
PartnerCertificateFile="certificates\mysite.cer"/>
Hi ComponentSpace Support,
We would like to have set true on WantAssertionEncrypted for Azure AD IdP.
But when we set it to WantAssertionEncrypted="true", we got the error saying "The SAML assertion isn't encrypted."
Also from the ComponentSpace SAML v2.0 Azure AD Integration Guide, you have not mention anything about how to setup SP certificate for Assertion encryption. And I go to our test Azure AD sso setting, I do not see a place to setup SP certificate for Assertion encryption either.
I have 2 questions
1. Do that mean Azure AD does not support Assertion encryption?
2. For the componentspace saml xml setup, we should always set WantAssertionEncrypted="false" for Azure AD?
Appreciated for your reply.
Thanks.
You should check with Microsoft but I don’t believe Azure AD supports encrypting the SAML assertion.
In many scenarios privacy is ensured by the transport layer security (ie HTTPS) only.
If the IdP doesn’t support SAML encryption you should let the SP configuration default to WantAssertionEncrypted=“false”.
In many scenarios privacy is ensured by the transport layer security (ie HTTPS) only.
If the IdP doesn't support SAML encryption you should let the SP configuration default to WantAssertionEncrypted="false".
Thanks for the quick reply.
I have found how to config Azure AD to do assertion encryption. I am sharing the link. I hope it can benefit the other users.
The link is below.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption
It does require your Azure AD has premium feature. Otherwise the saml token encryption is not available.
Thanks for the information and sharing the link.