-
-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature validation failed. SAML Response rejected #282
Comments
Signature validation is always required, otherwise, anyone could craft it own SAMLResponse and access your system.
Maybe you are registering the wrong x509cert. Makes sure the value you provide to the settings matches the public cert used by the IdP. You could use a browser extension named SAML Tracer (firefox | chrome) in order to record the SAML flow and later inspect it. Check the Signature value.. and check the value of X509Certificate that is the one that must be registereed on php-saml settings.
|
I'm hitting a similar issue against Azure AD with logout (slo) requests. I'm using HTTP GET to process the SLO. I'm using python3.10 and version 1.14.0 of python3-saml. I am successfully validating saml login requests with the same cert. Ultimately This is my code (I'm using django):
Which prints out "SLO failed, error: invalid_logout_response_signature, Signature validation failed. Logout Response rejected" My
And my
Is there anything obviously wrong with my setup? Could anyone verify that the SLO works against Azure AD with a similar configuration? |
Is possible that more than 1 certificate is registered at AzureAD and during the SLO a different x509cert/private key pair was used than the one registered? Also try to play with the setting: lowercase_urlencoding |
ran into the same issue as gardarh today: logout request with a django web app, using MS Entra ID (previously Azure AD). Setting Thank you @pitbulk |
Hi,
I use the flask demo and cannot get the signature validation to work.
As far as I know the place to put the IdP Certificate is in the settings-json under idp/x509cert.
I tried to set x509cert to the Base64-encoded certificate string (one-liner) as well as to a file path to the base64-encoded certificate itself. Restarted the demo-server every time. I still get the same error every time.
I left it blank, too, in hope to just omit the validation. But still the same error.
The text was updated successfully, but these errors were encountered: