-
-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature validation failing #284
Comments
validate_signature_from_qs is something to review on redirect binding, I guess you are using HTTP-POST binding for procesing the SAMLResponse at the ACS endpoint. Can you try if this tool validates the Signature properly? |
Hi Sixto, Thanks for getting back to me. Yep that site, giving it the same entity-id's, target url and key that im using in the settings.json, says that the SAML respose is valid |
Is strange that it only fails on python3-saml. Just for testing/debug.... are you able to temporarily switch from python3-saml to python-saml (if you are using py2) and see if it also fails there? |
Hi, it took a while to get the python2 environment working but in the end yes the demo django app in python-saml does work without errors and I get shown the attrs page after login. No mention of failure to validate. |
Hello, Any update on this ? I am getting same issue. If I use python3-saml , I get Unable to verify the signature python-saml works ok. |
@rmalik2018 were you able to solve the issue? |
Still have got the issue unfortunately. Thanks for following it up. |
Do you use python3-saml/src/onelogin/saml2/response.py Lines 710 to 717 in 96ad99e
|
I will have to fork the lib for our purposes since we must support sha-1 still :(, so I also take the chance to raise this question, is the deny really needed? or at least can we add a bypass, I would like to upstream changes I may have to make. |
Worth noting I'm using encryption with no signatures |
Hi,
I'm having trouble verifying a SAML response assertion with the demo code and getting "Signature validation failed. SAML Response rejected" after I sign into SSO.
I've extracted the xml by adding some debugging into the app and can verify the assertion with xmlsec1:
I've the same "idp" {"x509cert":...} in the settings.
The verification seems to fail at dsig_ctx.verify() in utils.validate_node_sign, but checking some debug output there seems to show that the right cert and signature_node are being used so I'm at a loss how to debug this further.
The docs mention trying to set validate_signature_from_qs and providing a query string, but I'm not familiar enough with SAML to know what such a query string should look like.
I'd rather not post the response and certs here, but can email them if someon can help.
Thanks.
The text was updated successfully, but these errors were encountered: