Receiving the following error: “The SAML response isn’t signed” although the flag is set, and cert is in place. Thoughts?
<PartnerIdentityProvider Name=“websso.companyABC.com.saml2”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“websso.companyABC.com.saml2”
SingleLogoutServiceUrl=“websso.companyABC.com.saml2”
DisableAudienceRestrictionCheck=“true”
The error “The SAML response isn’t signed” occurs if WantSAMLResponseSigned=“true” and the SAML response doesn’t include an XML signature.
In your configuration you have WantSAMLResponseSigned=“false” and WantAssertionSigned=“true”. This means that it’s expected that the SAML assertion will be signed rather than the SAML response.
I would like to see the SAML response you are receiving.
Could you please enable SAML trace and send me the generated log file as an email attachment to support@componentspace.com? Please mention this post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
My fault when I pasted the original. That flag is set to true and fails, I copied the current setting which is false so the sso works temporarily.
This is the configuration that causes the error: “The SAML response isn’t signed”.
<PartnerIdentityProvider Name=“websso.companyABC.com.saml2”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“true”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“websso.companyABC.com.saml2”
SingleLogoutServiceUrl=“websso.companyABC.com.saml2”
CertificateFile=“idp.cer”/>
We want to sign the response using the provided cert from the client while they use our cert to sign the assertion. If I set the WantSAMLResponseSigned=“false” then it works. I had the client resend the cert which we renamed to idp.cer. I would expect this to work, however it’s generating the error noted above. Any thoughts as to why it would not use the cer file?
Your configuration expects the SAML response from the partner identity provider to be signed. It will use the idp.cer certificate to verify the signature if present.
Please note that there's a difference between signing the SAML response and signing the SAML assertion. The SAML response includes the SAML assertion. Either the entire SAML response, which includes the SAML assertion, may be signed or just the SAML assertion may be signed.
If just the SAML assertion is signed then you need to set WantSAMLResponseSigned to false and WantAssertionSigned to true.
That means in your current configuration set WantSAMLResponseSigned to false and leave WantAssertionSigned set to true.
Hi Team ,
I’m trying to utilise Onelogin in component space, but I’m encountering an error on the “AssertionConsumerService” page. For your information, I’ve pasted the saml configuration below. Tell me how to download the certificate if this is a certificate error so I can prevent it. I am using sample code download from you site "<a href=“https://www.componentspace.com/saml-for-asp-net” “>https://www.componentspace.com/saml-for-asp-net”
<PartnerIdentityProvider
Name=“xyx”
Description=“OneLogin”
SingleSignOnServiceUrl=“xyz”
SingleLogoutServiceUrl=“xyz”>
[SAMLSignatureException: The SAML assertion signature failed to verify.]
The OneLogin certificate is included in the SAML metadata that may be downloaded through the OneLogin admin console. The SAML metadata includes the certificate as a base-64 encoded string.
Alternatively, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
We can confirm that the issue is the wrong certificate and retrieve the certificate embedded in the signature.
[quote][/quote]
The OneLogin certificate is included in the SAML metadata that may be downloaded through the OneLogin admin console. The SAML metadata includes the certificate as a base-64 encoded string.
Alternatively, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
We can confirm that the issue is the wrong certificate and retrieve the certificate embedded in the signature.
Alternatively, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
We can confirm that the issue is the wrong certificate and retrieve the certificate embedded in the signature.
When I am downloading the certificate from Onelogin , I have getting extension as .pem how to embedd .pem in this code ?
thanks !
Typically .PEM files are the same as .CER files.
Can you open the .PEM file in a text editor? Does it contain a base-64 encoded string?
If so, use the .PEM the same as you would a .CER. In your SAML configuration, replace with a reference to the .PEM file.
[quote]
[/quote]
Thanks Certificate is imported , but now I am getting below error;
While logout from application I am getting below error ; Even i am giving my SAML.Config , Please let me know what changes need to make for this issue
"The logout response isn't signed."
<ServiceProvider
Name="https://localhost:44338"
Description="Example Service Provider"
AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService.aspx">
<PartnerIdentityProvider
Name="XYZ"
Description="OneLogin"
SignAuthnRequest="false"
WantSAMLResponseSigned="false"
WantAssertionSigned="true"
WantAssertionEncrypted="false"
SingleSignOnServiceUrl="XYZ"
SingleLogoutServiceUrl="XYZ"
SignLogoutRequest="true"
SignLogoutResponse="true" >
If the SAML logout messages aren’t signed, set WantLogoutRequestSigned and WantLogoutResponseSigned to false.
<PartnerIdentityProvider
WantLogoutRequestSigned=“false”
WantLogoutResponseSigned=“false”