[cas-user] SP giving error as "Unable to validate Signature" - CAS 5.3.5

[Jitendra]

Hi,

SAML Response generated by CAS IDP is giving error at SP side 
(SimpleSAMLphp) as "Unable to validate Signature". 

I have already running application of CAS 3.5.2 with external integration 
with Shibboleth IdP and now I am tring to integrate new CAS 5.3.5 version 
using CAS IDP.

Following in the SAML Response generate by IdP for both CAS 5.3.5 and CAS 
3.5.2 with external Shibboleth IdP.

*SAML Response - CAS 5.3.5*

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
    
Destination="https://localhost:9443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp";
    ID="_5811688302419932870"
    InResponseTo="_2eaf2e28b5216f16033c9426d54214ab6388f7e81f"
    IssueInstant="2018-11-29T21:01:43.318Z" Version="2.0" 
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8443/idp</saml2:Issuer>
    <ds:Signature
                xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
                
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
                        URI="#_5811688302419932870">
<ds:Transforms>
<ds:Transform
                        
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>b7YffVN2OeWjVJwE+M7Ubu8Y8yuT7AJH0UyZCbSfifY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
O9KIQejb18K/ME5x0sVfa3vuSJfPDxz5kDLWo6afmWip4LZzA3YNJf7v4e3Fb+9myw1aEPC3XP3b&#xd;
As0WFTeVIzB2zzM7k7PxKQFpZyZ4sWR2gYcpj85AobJVYIJA9uv2CfTPaERE9w5hfU4Pkc/bJ4cb&#xd;
41oHsm6hLVRPZj1Tq68=
</ds:SignatureValue>
<ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>***** DELETED *****</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:EncryptedAssertion 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Id="_820da790be35c89c155513777cd62a67"
            Type="http://www.w3.org/2001/04/xmlenc#Element"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
            <xenc:EncryptionMethod
                Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
                <ds:RetrievalMethod
                    Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"; 
URI="#_a624d6692b8ac5cf1b149f831bd1aee4"/>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
                <xenc:CipherValue>***** DELETED *****</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
        <xenc:EncryptedKey Id="_a624d6692b8ac5cf1b149f831bd1aee4"
            
Recipient="https://localhost:9443/simplesaml/module.php/saml/sp/metadata.php/default-sp";
 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
            <xenc:EncryptionMethod
                Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
                <ds:DigestMethod
                    Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
            </xenc:EncryptionMethod>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
                <xenc:CipherValue>***** DELETED *****</xenc:CipherValue>
            </xenc:CipherData>
            <xenc:ReferenceList>
                <xenc:DataReference 
URI="#_820da790be35c89c155513777cd62a67"/>
            </xenc:ReferenceList>
        </xenc:EncryptedKey>
    </saml2:EncryptedAssertion>
</saml2p:Response>

*SAML Response - CAS 3.5.2 with external Shibboleth IdP*

<saml2p:Response Destination="https://localhost/Shibboleth.sso/SAML2/POST";
    ID="_2d92ed1015600c258406df9be22f95be" 
InResponseTo="_3c79c509762462fa063e035b4ac9b6fa"
    IssueInstant="2018-11-29T15:41:52.149Z" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost/idp/shibboleth</saml2:Issuer>
    <saml2p:Status><saml2p:StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
    <saml2:EncryptedAssertion 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Id="_6d71ffd770ca214f19d05dd34c179bf7"
            Type="http://www.w3.org/2001/04/xmlenc#Element"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";
            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
                <xenc:EncryptedKey Id="_2062d09a80fbd4810e9e733fa0132d9f"
                    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
                    <xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
                        
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
                        
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>**** DELETED ****
</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                    <xenc:CipherData 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
                        <xenc:CipherValue>**** DELETED ****
</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
                <xenc:CipherValue>**** DELETED ****</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml2:EncryptedAssertion>
</saml2p:Response>

And following the my SP Service Registry entry

*{*
*  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",*
*  "serviceId" : 
"https://localhost:9443/simplesaml/module.php/saml/sp/metadata.php/default-sp",*
*  "name" : "SAMLService",*
*  "id" : 10000003,*
*  "evaluationOrder" : 10,*
*  "metadataLocation" : "mylocation/metadata/testsp_metadata.xml",*
*  "signAssertions": false,*
*  "signResponses": true,*
*  "encryptAssertions": true*
*}*

Can anyone please help me in finding out what is the issue in my 
configuration??


TIA
Jitendra

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/85c7f7a1-c0b4-4377-9efb-cac3a4834ad2%40apereo.org.