-
-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature validation failed. Everything seems right, though. #166
Comments
#define XMLSEC_ERRORS_R_KEY_NOT_FOUND 45 |
Try to use xmlsec directly:
or
Also check if https://www.samltool.com/validate_response.php is able to validate your response. |
@pitbulk thanks a lot for the reply. Both xmlsec and samltool's have successfully validated the XML using that cert. I'm using:
Just really confused |
It should be some issue with the lxml and libxmlsec lib. I need to spend time and investigate but right now kinda bussy with other issues on the other toolkits. |
@pitbulk this is really weird. I don't know enough about python to understand what's going on. If I simplify the example, it fails with the same error. But, once I comment out the from defusedxml.lxml import tostring, fromstring
from os.path import basename, dirname, join
# !!!!!!!!!!!!!!!!!!!!
# Uncomment this line and it fails
# !!!!!!!!!!!!!!!!!!!!
#from defusedxml.minidom import parseString
import dm.xmlsec.binding as xmlsec
xml = """<insert xml>"""
pem = """-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----"""
def print_xmlsec_errors(filename, line, func, error_object, error_subject, reason, msg):
"""
Auxiliary method. It overrides the default xmlsec debug message.
"""
info = []
if error_object != "unknown":
info.append("obj=" + error_object)
if error_subject != "unknown":
info.append("subject=" + error_subject)
if msg.strip():
info.append("msg=" + msg)
if reason != 1:
info.append("errno=%d" % reason)
if info:
print "xmlsec1 -- %s:%d(%s)" % (filename, line, func), " ".join(info)
def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False):
try:
xmlsec.initialize()
xmlsec.set_error_callback(print_xmlsec_errors)
xmlsec.addIDs(elem, ["ID"])
print "--- Signature Node ---"
print tostring(signature_node)
print "+++ Signature Node +++"
#file_name = "/Users/fingermark/cacert.pem"
dsig_ctx = xmlsec.DSigCtx()
#signKey = xmlsec.Key.load(file_name, xmlsec.KeyDataFormatCertPem, None)
signKey = xmlsec.Key.loadMemory(pem, xmlsec.KeyDataFormatCertPem)
#signKey.name = basename(file_name)
dsig_ctx.signKey = signKey
print "signKey.name: %s" % signKey.name
dsig_ctx.setEnabledKeyData([xmlsec.KeyDataX509])
dsig_ctx.verify(signature_node)
print "verified"
return True
except Exception as err:
print "Node verification error:"
print err.__str__()
return False
if __name__ == "__main__":
elem = fromstring(xml)
node = elem.find(".//{%s}Signature" % xmlsec.DSigNs)
print validate_node_sign(node, elem) |
that really weird. |
Yeah, the same code works on my linux server. And
|
have you tried python3-saml? It does not use defusedxml |
Hi. I'm having a similar issue with trying to setup python-saml (also tried python3-saml) to work with ADFS 2.0 and no matter what I try I can't seem to get past the Signature Validation Failed--the assertion is coming back as auth sucessful, but python-saml refuses to accept the x509 cert (or fingerprint) for the response. Does the system work with self-signed certs? I've tried the validation tools online and the returned document is valid. I think I've tried everything, but I'm not convinced that I'm not doing something boneheaded. Should I create another issue thread or can I contact your directly so as not spam the list? Thanks! |
python-saml works with self-signed certs. have you tried what @fingermark suggested? replacing
by
If you want, mail directly to me the base64 encoded SAMLResponse message, so I will be able to debug and see what is happening. |
Thanks for the help. I know you must be super busy.
-R
<samlp:Response ID="_37ca4253-00ad-453a-b128-ad7db0d0776c" Version="2.0" IssueInstant="2016-11-29T16:00:24.735Z" Destination="https://mascot.arbitraria.org/?acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_0f066a9a228df19be13582dd8a1fc2018f47286f" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://winsrv.arbitraria.org/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_3b88cb5e-789e-46e5-bc92-6bad8bb4116a" IssueInstant="2016-11-29T16:00:24.735Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://winsrv.arbitraria.org/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_3b88cb5e-789e-46e5-bc92-6bad8bb4116a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>qH6sxK7pMoZGD9upzm2gV6OFppQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>BctpKq3gr7FKe0+TzRageR4xDwsjqIuapopyavLS9zsbEXYEuki3KngvWBDy6wRzMDn5MdMTVWdeQY4CcNaZ7O98CfUTKWd944K9PMXxhyU5JwyXB/S5a/Shsy7hW61JXJl8XzWaeNAUhHYLPsBPYBkyQfbylR3XEX0or4d3rL1PX/W0Dk+tifginJHjkUjlTOr7it/7jff1yIHdWJLbH5icoYx0YPgJC8VUp3USaJsTKVxe/hBPFqbKVhk5f6chMALZ5/axm+PCaZHBK3xTwjwuKLCcEBll1qT4y+jnwTpxlIAAAANhsuC67Yh7ByAZiHwB0W6nSQiyYOEmclFgDg==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC5jCCAc6gAwIBAgIQW2JGfKOyL7hHZu4anVus0jANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwHhcNMTYxMTI4MDYwNDQ4WhcNMTcxMTI4MDYwNDQ4WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrM3zghAs4QfHBQe6sX+QzaHtoi8CrEDDqxMFnYnRkgJjwYL88GfYkmYkDhkMvlQZnZnwBGJ4enH6v4fawixIaxj93RradnYRfk/NNQyF9zrpuKxL4DR1g3Yugs1uiqM2MB+9b6MaXR8j1XStakZy3g/oZjIFV0qT2BBd3EKrFFJ7Y1Zx4K3cSbRYqISTHG5ZkHMt11SfjmF+ZunIYNygcP81ibvs5AAq7ZZxqxdsjamhdnUjBYApOOluTzw1kcIraw8nJ3whu8PcEK931LpenQW2E6P5D/f31rVXNsHMfi/8BQYfV7+cLu3RZ0Ob7SnO2Vc1bE56a1QP3cvyjuJC3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJQACvfjjiKw3WFGlam0b1UTJwqKKYTnABoUdZ6pFmm23/6MsBuIM+xPTiqwPOB2wy+ZJlU1T3CJuzQ+ENjoXf5IC9WhoZ9K4WFKvTYqbYK2T7iiLNX+oVtI8rArAS1+JvOTAAcIMQjuDe4o8YdX8Y2OtjX19xB0WpRNnIk2rajKkwuMg/NKW+5xSII9IGz8tlG/YT7Q17gGn73joJkujOCwWwBew2NtGBRshao0Tkd2fLRCBESNPSm8nsqJVNOu+uoAfKoigh/2e+xFIyaoCTMy5RmBNpYKl/scx3SxmsU44hlJAcX/QD8ScWRepWWDgwo5Fza2pEcCJ3BBwejw0s=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ARBITRARIA\roberhr</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="ONELOGIN_0f066a9a228df19be13582dd8a1fc2018f47286f" NotOnOrAfter="2016-11-29T16:05:24.735Z" Recipient="https://mascot.arbitraria.org/?acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2016-11-29T16:00:24.735Z" NotOnOrAfter="2016-11-29T17:00:24.735Z"><AudienceRestriction><Audience>urn:mascot:arbitraria.org</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="groups"><AttributeValue>AWS-12345-Admin</AttributeValue><AttributeValue>AWS</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2016-11-29T16:00:24.672Z" SessionIndex="_3b88cb5e-789e-46e5-bc92-6bad8bb4116a"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
… On Nov 29, 2016, at 10:56 AM, Sixto Martin ***@***.***> wrote:
python-saml works with self-signed certs.
If you want, mail directly to me the base64 SAMLResponse message, so I will be able to debug and see what happening.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#166 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AMQSR6G_1bHnF4pPlhYWQacNvre3gomuks5rDEs-gaJpZM4KfJc4>.
|
@rmharris157 can you provide the base64 encoded version rather than in plain text? |
Sorry, misread that. FWIW, I was using base64.b64decode() so hopefully that part was ok.
-R
PHNhbWxwOlJlc3BvbnNlIElEPSJfNTZiNWVkZmQtNWE5MS00YzY3LWI5NjEtMDk4YjdmYTZhNmE2IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0xMS0yOVQxNjowNjowNi43OTBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9tYXNjb3QuYXJiaXRyYXJpYS5vcmcvP2FjcyIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fOTkzMTg1OGIwZWMwODE2Y2M2Mzk3NDBkYTdiYzk2YTI5NmNmZjBkZiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PElzc3VlciB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3dpbnNydi5hcmJpdHJhcmlhLm9yZy9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPjwvc2FtbHA6U3RhdHVzPjxBc3NlcnRpb24gSUQ9Il9jOWUxMDE0ZC1lMTQ4LTQyMDgtOTc5Yy02ODk1YTA3ZjU4NzciIElzc3VlSW5zdGFudD0iMjAxNi0xMS0yOVQxNjowNjowNi43OTBaIiBWZXJzaW9uPSIyLjAiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48SXNzdWVyPmh0dHA6Ly93aW5zcnYuYXJiaXRyYXJpYS5vcmcvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiIC8+PGRzOlJlZmVyZW5jZSBVUkk9IiNfYzllMTAxNGQtZTE0OC00MjA4LTk3OWMtNjg5NWEwN2Y1ODc3Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIiAvPjxkczpEaWdlc3RWYWx1ZT5ZS2VCcmJuU1N3L3RNOVNkYVkyOStHM1ZaaUU9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkxUNDlMVG5SbGRzT09vOXYrNDRUdmo1aGpOMTVGV3Q1RlhCakVSa1RMQ3Z4eDV3a2dDTE05ckJVcDkyUXFTb0Z3SFY3eTFwQXNGZ1Rvc0lQQzdtRU0vTlF3OTVELzl0RlhZVEx1SHpIZzhvcWdMVkZpUjlKYk9oMVlsSmkzMkQwWElsM2cvUmdGcWc2d2ZoeEdlQi9BeDB2dURDeGhCRGF3STUrR0s1VmtBRWxvb09wVUxtSCtFZ0lCUTJMaHlLNnl5NGhUQVVlZzdQeTFXMTd1Z0laT20wV1lydkZUS0RaQytlRlVKWDFFeThzTGtoTk9pYm1ROG16Z1BPbzN0cFlhUzhlU2xvMTJJZTdrazlSKzk4SWwwdXlwc0JBbjczVHpXa1hMZzJxc3VZK0NEeCtVaktZRVU4TEtwSVErL3pQUE1IZS9VSDdJaTNiUDZSZ0s0NjlrQT09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzVqQ0NBYzZnQXdJQkFnSVFXMkpHZktPeUw3aEhadTRhblZ1czBqQU5CZ2txaGtpRzl3MEJBUXNGQURBdk1TMHdLd1lEVlFRREV5UkJSRVpUSUZOcFoyNXBibWNnTFNCWFNVNVRVbFl1WVhKaWFYUnlZWEpwWVM1dmNtY3dIaGNOTVRZeE1USTRNRFl3TkRRNFdoY05NVGN4TVRJNE1EWXdORFE0V2pBdk1TMHdLd1lEVlFRREV5UkJSRVpUSUZOcFoyNXBibWNnTFNCWFNVNVRVbFl1WVhKaWFYUnlZWEpwWVM1dmNtY3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDck0zemdoQXM0UWZIQlFlNnNYK1F6YUh0b2k4Q3JFRERxeE1GblluUmtnSmp3WUw4OEdmWWttWWtEaGtNdmxRWm5abndCR0o0ZW5INnY0ZmF3aXhJYXhqOTNScmFkbllSZmsvTk5ReUY5enJwdUt4TDREUjFnM1l1Z3MxdWlxTTJNQis5YjZNYVhSOGoxWFN0YWtaeTNnL29aaklGVjBxVDJCQmQzRUtyRkZKN1kxWng0SzNjU2JSWXFJU1RIRzVaa0hNdDExU2ZqbUYrWnVuSVlOeWdjUDgxaWJ2czVBQXE3Wlp4cXhkc2phbWhkblVqQllBcE9PbHVUencxa2NJcmF3OG5KM3dodThQY0VLOTMxTHBlblFXMkU2UDVEL2YzMXJWWE5zSE1maS84QlFZZlY3K2NMdTNSWjBPYjdTbk8yVmMxYkU1NmExUVAzY3Z5anVKQzNBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSlFBQ3ZmamppS3czV0ZHbGFtMGIxVVRKd3FLS1lUbkFCb1VkWjZwRm1tMjMvNk1zQnVJTSt4UFRpcXdQT0Iyd3krWkpsVTFUM0NKdXpRK0VOam9YZjVJQzlXaG9aOUs0V0ZLdlRZcWJZSzJUN2lpTE5YK29WdEk4ckFyQVMxK0p2T1RBQWNJTVFqdURlNG84WWRYOFkyT3RqWDE5eEIwV3BSTm5JazJyYWpLa3d1TWcvTktXKzV4U0lJOUlHejh0bEcvWVQ3UTE3Z0duNzNqb0prdWpPQ3dXd0JldzJOdEdCUnNoYW8wVGtkMmZMUkNCRVNOUFNtOG5zcUpWTk91K3VvQWZLb2lnaC8yZSt4Rkl5YW9DVE15NVJtQk5wWUtsL3NjeDNTeG1zVTQ0aGxKQWNYL1FEOFNjV1JlcFdXRGd3bzVGemEycEVjQ0ozQkJ3ZWp3MHM9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+QVJCSVRSQVJJQVxyb2JlcmhyPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl85OTMxODU4YjBlYzA4MTZjYzYzOTc0MGRhN2JjOTZhMjk2Y2ZmMGRmIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMTEtMjlUMTY6MTE6MDYuNzkwWiIgUmVjaXBpZW50PSJodHRwczovL21hc2NvdC5hcmJpdHJhcmlhLm9yZy8/YWNzIiAvPjwvU3ViamVjdENvbmZpcm1hdGlvbj48L1N1YmplY3Q+PENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTExLTI5VDE2OjA2OjA2Ljc5MFoiIE5vdE9uT3JBZnRlcj0iMjAxNi0xMS0yOVQxNzowNjowNi43OTBaIj48QXVkaWVuY2VSZXN0cmljdGlvbj48QXVkaWVuY2U+dXJuOm1hc2NvdDphcmJpdHJhcmlhLm9yZzwvQXVkaWVuY2U+PC9BdWRpZW5jZVJlc3RyaWN0aW9uPjwvQ29uZGl0aW9ucz48QXR0cmlidXRlU3RhdGVtZW50PjxBdHRyaWJ1dGUgTmFtZT0iZ3JvdXBzIj48QXR0cmlidXRlVmFsdWU+QVdTLTEyMzQ1LUFkbWluPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+QVdTPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48L0F0dHJpYnV0ZVN0YXRlbWVudD48QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE2LTExLTI5VDE2OjA2OjA2LjcxMVoiIFNlc3Npb25JbmRleD0iX2M5ZTEwMTRkLWUxNDgtNDIwOC05NzljLTY4OTVhMDdmNTg3NyI+PEF1dGhuQ29udGV4dD48QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
… On Nov 29, 2016, at 11:04 AM, Sixto Martin ***@***.***> wrote:
@rmharris157 <https://github.com/rmharris157> can you provide the base64 encoded version rather than in plain text?
(I want the original SAMLResponse, to avoid any possible issue of copy&pasting)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#166 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AMQSR1UrnU_flEKrqm7GCEt8SvmwKpMCks5rDE0cgaJpZM4KfJc4>.
|
Hi @rmharris157 sorry for the delay. I was able to validate directly your response using the followed test:
I also tested validating the whole response, and worked:
I will keep investigating. but the toolkit is able to validate that response |
Same issue, Raw response : SAML decoded response : <samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R4e8c2afc6f02f4b9c8348c6971fcfb7f62f1093e" Version="2.0" IssueInstant="2017-02-10T13:08:39Z" Destination="https://203.109.101.46:5000/?acs" InResponseTo="ONELOGIN_73846bf546bca19fa75983fd42e7e90c44a62866">saml:Issuerhttps://app.onelogin.com/saml/metadata/626172</saml:Issuer>samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx22587b16-5088-9b50-59f4-29b2f74add41" IssueInstant="2017-02-10T13:08:39Z">saml:Issuerhttps://app.onelogin.com/saml/metadata/626172</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ds:SignedInfo<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx22587b16-5088-9b50-59f4-29b2f74add41">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>ds:DigestValuedebyR5F9pqXkdgEEhdSrK2szDuE=</ds:DigestValue></ds:Reference></ds:SignedInfo>ds:SignatureValueSGwr93sXs9OtGy1IiAvdaS2nF9+uCydSRbTl+Ndipi9mKKobRsmnbmgpzuacXTyVtajdPktHE4PKi3ZtXeaPevg89MOnRAQCY3JtnaYz1hbeB0KCG38rpojhfxoglIjYHdjYjOuPJXcncLp8x6oUlNWINpUdvF9/qFBPGtIHSnFiA8fpMs4rEXbOPMmX8mjoOfqllKF6cz7mhyiQzt26StIqYYLkHGrphe5jOd7/XU8Hn8+Au5O3+dan6DewT5MdMizI0OqiDkslfgsCm0skaTIj+4Ptw1dfmSB0raDZIqtnjmUY/jA96ysDKkaWMvU1fPzLAe1fWSgs5DNlkVqftA==</ds:SignatureValue>ds:KeyInfods:X509Datads:X509CertificateMIIEGjCCAwKgAwIBAgIUYgzxy3nEhrFLfOY8+66qE5JMGGIwDQYJKoZIhvcNAQEFBQAwWTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCExvY3VyaXR5MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTAwNjY3MB4XDTE3MDIwOTA2MDE1OVoXDTIyMDIxMDA2MDE1OVowWTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCExvY3VyaXR5MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTAwNjY3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9Z06TqE2UurX5JHOvt0GZyK8tmfTRUtL5G7qX7ugzaakuvY2JY/yg4hgfeWvdhqXaRoRuvhxY5SdhiXUEf09Nidqcy7UpKFvLg6+nwQmylXBKgfSF7m0Y6nEHsjAunk89FzzRgWD1N9p7Z+5fF8xKZXUZPdSwkhibZZxBaZMRUDx8gW4ZIio6ky/sdJKZV+ixMNebX0fRZJpsqJFVeZSPKiIfzO5TYeyaRmox7kNR2LUM/RpkGAZMEKLf6yHmc6sNBZwTbS8GqF+h9pXUC8WHcUh6pIiS6ao9AnvRw/44jO34idPgCSw9HADevFQO7g51rYhS3965R9hx9lYTJvUQIDAQABo4HZMIHWMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLtpFVDf4i0/nvecx8N+E8UV5AusMIGWBgNVHSMEgY4wgYuAFLtpFVDf4i0/nvecx8N+E8UV5AusoV2kWzBZMQswCQYDVQQGEwJVUzERMA8GA1UECgwITG9jdXJpdHkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMDA2NjeCFGIM8ct5xIaxS3zmPPuuqhOSTBhiMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAfTvz9C+Ug+FpATdR7eKhV4MBC6ziUdZbA7q9btPzhlwDJyMGYothlCPNVHyIUJsvJJElnkEyuyCxgDZVEFGe2yiO0TZ5J1rE1Ugixjlk7fNcWk8ohQM/S/WbB2LY+d77QQbeZIzkqDFialkSbs+qJ+qY7k2obNKVevgqWeeDl55X+fd5/ATJb9HxCrV3gcmdpt6jbIjjb3Guf8W2NUNQ7f5wmCdZe4k1qap3bvpFouQLD+SpU/0trzrQ4Nw2ClyUEuA/RmpqsmsfQtXgAkf1ls6IrEb/+109Bw+YOpC3PwO9Wo2eMYa6GUVbYYLVmWRuEG8weVjyLXu1a2vJ+VfsVQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>saml:Subject<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">emailid</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2017-02-10T13:11:39Z" Recipient="https://203.109.101.46:5000/?acs" InResponseTo="ONELOGIN_73846bf546bca19fa75983fd42e7e90c44a62866"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-02-10T13:05:39Z" NotOnOrAfter="2017-02-10T13:11:39Z">saml:AudienceRestrictionsaml:Audiencehttps://203.109.101.46:5000/metadata/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2017-02-10T13:08:38Z" SessionNotOnOrAfter="2017-02-11T13:08:39Z" SessionIndex="_68819ae0-d1a2-0134-63da-02a269b3d28b">saml:AuthnContextsaml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>saml:AttributeStatement<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.email"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">emailid</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="memberOf"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="PersonImmutableID"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.LastName"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">LastName</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.FirstName"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Name</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response> |
In saml2/response.py
an exception is raised from this if condition. |
I'm having the same issue described here.
https://www.samltool.com/validate_response.php also validates just fine. In utils.py, if I comment out
Signature validation still fails...
Python: 2.7.10
|
@travelton I'm having the same issue here on OSX. Ever found a workaround? |
@edufelipe Nope. I set up a free micro AWS Linux server for testing. |
@travelton I did! All I had to do was update libxmlsec1 to version 1.2.4. It automatically started working on Mac :) |
I've got the same issue.
/onelogin/saml2/utils.py:
Libs: python-saml v.2.2.3 and libxmlsec1 v.1.2.20 (installed with brew). BUT signature validation (same project with the same settings, no changes) works well on Ubuntu. |
@chelexey: brew installs a broken version of libxmlsec1. You have to manually update it to version 1.2.4 and everything starts working as expected :) |
@edufelipe Do you mean I have to downgrade with brew? Can you share the solution how you did that (it seems there is no packages except of 1.2.20)? Thanks in advance. |
I've fixed an issue with
Prepare environment:
Install
And that's all. |
I know this is a dead thread but for anyone who does see an error on a python 2.7 environment with python-saml to overcome it you can try this
Specifically this occurs on python 2.7 Centos 7 x86_64 with error
Relates to #30 |
after adding prefix in saml xml doc i am getting signature validation failed error |
I upgrade to MacOS the other day and revisisted an old project. I now get "Signature validation failed." I tried upgrading to the 2.2.0 release, but get the same thing. Do you all see anything wrong with this?
All values printed from variables defined in
validate_node_sign
Cert
validatecert
signature_node
Node verification error:
Signature validation failed. SAML Response rejected
The text was updated successfully, but these errors were encountered: