Hello, Thanks Aleksey and Timothy for helping.
The issue was that I've used a simple key pair instead of a (self) signed certificate. I should have thought about it before. Those two questions put be on tracks specifying x509 > Le 3 juil. 2022 à 02:54, Aleksey Sanin <[email protected]> a écrit : > > BTW, did you submit the trusted IdP X509 certificate to the samltool? > > https://www.samltool.com/validate_response.php > <https://www.samltool.com/validate_response.php> > Le 3 juil. 2022 à 04:09, Timothy Legge <[email protected]> a écrit : > > I tested against perl's XML::Sig and that was the result. > It is likely possible to validate if I had the public certificate in > PEM format (not the public key itself). > > https://www.samltool.com/validate_response.php requires the public > certificate to validate against. For the records and to help other users, answers below to the other parts of your messages: > On Jul 2, 2022, at 8:43 PM, Aleksey Sanin <[email protected] > <mailto:[email protected]>> wrote: > > What error(s) do you get from these tools? From samltest I get this: 2022-07-02 23:07:56 DEBUG OpenSAML.MessageDecoder.SAML2 [73237] [default]: extracting issuer from SAML 2.0 protocol message 2022-07-02 23:07:56 DEBUG OpenSAML.MessageDecoder.SAML2 [73237] [default]: message from (http://127.0.0.1:8080/saml/sso) 2022-07-02 23:07:56 DEBUG OpenSAML.MessageDecoder.SAML2 [73237] [default]: searching metadata for message issuer... 2022-07-02 23:07:56 DEBUG OpenSAML.MessageDecoder.SAML2 [73237] [default]: recovered request/response correlation value (_282e31dacdbbdd363615c3fe8a207991) 2022-07-02 23:07:56 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [73237] [default]: evaluating message flow policy (correlation off, replay checking on, expiration 60) 2022-07-02 23:07:56 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [73237] [default]: ignoring InResponseTo, correlation checking is disabled 2022-07-02 23:07:56 DEBUG XMLTooling.StorageService [73237] [default]: inserted record (_D6906242-34B2-4441-8467-63FDB8D11EA5) in context (MessageFlow) with expiration (1656803511) 2022-07-02 23:07:56 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [73237] [default]: validating signature profile 2022-07-02 23:07:56 WARN OpenSAML.SecurityPolicyRule.XMLSigning [73237] [default]: unable to verify message signature with supplied trust engine 2022-07-02 23:07:56 WARN Shibboleth.SSO.SAML2 [73237] [default]: error processing incoming assertion: Message was signed, but signature could not be verified. And from sameltool: Response signature validation failed. > Le 3 juil. 2022 à 02:54, Aleksey Sanin <[email protected]> a écrit : > > You also probably want to put KeyInfo with X509 cert (or full certs chain) > for the private key used for signing into the signature itself. & > Le 3 juil. 2022 à 04:09, Timothy Legge <[email protected]> a écrit : > > The SamlResponse does not include a key type or KeyInfo in the > document. Regarding the KeyInfo part, it's optional in SAML, we are supposed to provide this public key by another method before the first use. Usually with a metadata exchange between SP and IDP that happen over HTTPS. The signature key doesn't have to be signed by an authority in SAML due to that point. The metadata exchange happens over a valid HTTPS stream which then gives the trust to the keys. But as learned today, it has to be actual certificates, not just public keys, even if self signed.
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
