lite-idp icon indicating copy to clipboard operation
lite-idp copied to clipboard

Published 20 hours ago verified publisher icon amdonov

unsupported signature algorithm error

Open last61474 opened this issue 5 years ago • 2 comments

Hi, I am getting unsupported signature algorithm each time I try to login via SAML.

This is the url data:

https://127.0.0.1:9443/SAML2/Redirect/SSO?RelayState=lTWG557ErB0jdoEZGhp7uSOl7Am_zfx-1-qvj69EFPlRnWbS5SdQqKzH&SAMLRequest=nJJPj9MwEMW%2FiuV7Yudfs7U2kcpWiEoLWzWFA7epM6WWErt4JsB%2Be9R2kcolh73a8%2Ba9n%2F0eCcbhbFYTn%2FwOf05ILP6MgydzuWjkFL0JQI6MhxHJsDXd6vOzyVNtgAgju%2BDlneQ8rznHwMGGQYrNupGuTwqEHrLFYlkdy6yoQBe1Lo9F3R%2BXpa3qQ%2FlwqMqitFJ8w0gu%2BEbmqZZiQzThxhOD50bmOtdJppNc7zNtdGWqOl3UxXcp1kjsPPBVeWI%2Bk1Eqy%2BtUpzrNzLIsC3VJl6sd9i6iZdV1L1Ks%2FsE9BU%2FTiLHD%2BMtZ%2FLp7vu0xSg3BwnAKxOZBa60u%2BAosSbF9o%2FzgfO%2F8j%2FknOdyGyHza77fJ9qXby%2Fb6LebKGMXHEEfg%2BSWXE9cnx%2BuoQc%2BOX2U7k3NEhh4YHtWdVftWhy8w4ma9DYOzr%2B%2Bw5wieHHqWYjUM4fdTRGBsJMcJpWpvlv%2BXrv0bAAD%2F%2Fw%3D%3D

This is the decoded saml request in above url:

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-285c3afff17086a4650f9b0b781198e02974d762" Version="2.0" IssueInstant="2020-10-20T10:39:54.184Z" Destination="https://127.0.0.1:9443/SAML2/Redirect/SSO" AssertionConsumerServiceURL="http://localhost:8000/saml/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8000/saml/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-285c3afff17086a4650f9b0b781198e02974d762"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>WNxqn7Bi51VRJiA/RMxVv7eaYkY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>OWViufTSJVmmYkWMS8QgAOgmoJob3CNYoZTCYy+Khwt3oGFqRa3xxzG0k1NZoI257wIHNSrs6Za7gZgLN82CPQSs1+sW09u6FGhbOqYK2TJ0oTLLHs+3YyjqW8s5JCWhKYN1G/h8zAkdkYwnvS2T2DXssD9Cbwz0ZDx1O2TrYtfNfhh+4LZwCainB0K6i38FJZuNAry0cKCFullPMBboNRdPHw0jLoMqYje0I3jVe7fQfTfblfZ6U6eGbzz7rAXaQXFUh8AS+eaEId4YmMO5YkZ0qVRf8zczfyuxCcx/oulUE35ybgVq3o9ZYuMD6h7DJo6q+1iys1HX9YFqCJiSag==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID6zCCAtOgAwIBAgIUQiPqrlxXdGXbuGCs5b8VAUMpAygwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxEjAQBgNVBAcMCXNpbmdhcG9yZTEMMAoGA1UECgwDREJTMQwwCgYDVQQLDANJVFQxEzARBgNVBAMMCm9wLWJhY2tlbmQxHDAaBgkqhkiG9w0BCQEWDW9wZGV2QGRicy5jb20wHhcNMjAwOTA3MDMwMTM0WhcNMjMxMjIxMDMwMTM0WjCBhDELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCXNpbmdhcG9yZTESMBAGA1UEBwwJc2luZ2Fwb3JlMQwwCgYDVQQKDANEQlMxDDAKBgNVBAsMA0lUVDETMBEGA1UEAwwKb3AtYmFja2VuZDEcMBoGCSqGSIb3DQEJARYNb3BkZXZAZGJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAf0/wm0mR19Inl3uwLBB2OBlmDc4W8DoschxdS0FnBDbQFteIJmqsxivylBER9XgN8HICgj7pM2Xd0o93sxSWsd2JdKbLUyBlpC1ElaptgHQYsnncFxlFA6BrWhoSf13KUgpxg+MmtnFhr+5Zab12Yavhm71jcJMsACK1DyWXRxLa+xmODW05e22M6c69m53824sfoQKe/0LA+r1KxeAOtIDTEAzwkdWnw3e9JGcXEE3dzPF2d89dgY2ZTNRYUe3hTyUk6WiIIfcyPivBPqQcZJsMK+jnJ353VhrDkmeVcR193mvVhsW7hit4mwIw+XrCFTSJB+VwSweHQtBaWvECAwEAAaNTMFEwHQYDVR0OBBYEFHlg0nvPdRLB2y9m5NusFtD/wTkdMB8GA1UdIwQYMBaAFHlg0nvPdRLB2y9m5NusFtD/wTkdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALtuqY85WuIQ96mVtyt5BzYGdEi55WxXxgK8bLweZ/t+JbfjQleoCk/2zRWZ64aax/kBFMe+MJUWe8agZsIR8QBDdiGY9VBjW0iNGlW98qhQmR6NxDJSh7KxvGZ2kLvsAQxp72JZBJL1Lae4WDXzRoyeKuobRzggjQf8QkKKcMqeOLNpEBK6uAb+mgouodiqjgGt+dFgFcX7vC8lAVq2UBJZ0JZempGkAI8ysGy9qosDpEuHdUMpKEqxiRPd+So8gMqdl+ysIk+4xers9fGDOi/0ohttOlMenMAUXiiD7I9Tm1ranioc64pctZsDtewyiMo/QWZvcJfICueW3t5W7vc=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>

Here is my config.yaml

artifact-service-path: /SAML2/SOAP/ArtifactResolution
attribute-service-path: /SAML2/SOAP/AttributeQuery
cookie-name: lite-idp-sess
digest-algorithm: http://www.w3.org/2001/04/xmlenc#sha256
ecp-service-path: /SAML2/SOAP/ECP
listen-address: 127.0.0.1:9443
metadata-path: /metadata
redis:
  address: 127.0.0.1:6379
  password: ""
saml-attribute-name-format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
server-name: 127.0.0.1:9443
signature-algorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
sps:
- entityid: http://localhost:8000/saml/metadata
  assertionconsumerservices:
  - index: 1
    isdefault: false
    binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    location: http://localhost:8000/saml/acs
  certificate: MIID6zCCAtOgAwIBAgIUQiPqrlxXdGXbuGCs5b8VAUMpAygwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxEjAQBgNVBAcMCXNpbmdhcG9yZTEMMAoGA1UECgwDREJTMQwwCgYDVQQLDANJVFQxEzARBgNVBAMMCm9wLWJhY2tlbmQxHDAaBgkqhkiG9w0BCQEWDW9wZGV2QGRicy5jb20wHhcNMjAwOTA3MDMwMTM0WhcNMjMxMjIxMDMwMTM0WjCBhDELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCXNpbmdhcG9yZTESMBAGA1UEBwwJc2luZ2Fwb3JlMQwwCgYDVQQKDANEQlMxDDAKBgNVBAsMA0lUVDETMBEGA1UEAwwKb3AtYmFja2VuZDEcMBoGCSqGSIb3DQEJARYNb3BkZXZAZGJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAf0/wm0mR19Inl3uwLBB2OBlmDc4W8DoschxdS0FnBDbQFteIJmqsxivylBER9XgN8HICgj7pM2Xd0o93sxSWsd2JdKbLUyBlpC1ElaptgHQYsnncFxlFA6BrWhoSf13KUgpxg+MmtnFhr+5Zab12Yavhm71jcJMsACK1DyWXRxLa+xmODW05e22M6c69m53824sfoQKe/0LA+r1KxeAOtIDTEAzwkdWnw3e9JGcXEE3dzPF2d89dgY2ZTNRYUe3hTyUk6WiIIfcyPivBPqQcZJsMK+jnJ353VhrDkmeVcR193mvVhsW7hit4mwIw+XrCFTSJB+VwSweHQtBaWvECAwEAAaNTMFEwHQYDVR0OBBYEFHlg0nvPdRLB2y9m5NusFtD/wTkdMB8GA1UdIwQYMBaAFHlg0nvPdRLB2y9m5NusFtD/wTkdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALtuqY85WuIQ96mVtyt5BzYGdEi55WxXxgK8bLweZ/t+JbfjQleoCk/2zRWZ64aax/kBFMe+MJUWe8agZsIR8QBDdiGY9VBjW0iNGlW98qhQmR6NxDJSh7KxvGZ2kLvsAQxp72JZBJL1Lae4WDXzRoyeKuobRzggjQf8QkKKcMqeOLNpEBK6uAb+mgouodiqjgGt+dFgFcX7vC8lAVq2UBJZ0JZempGkAI8ysGy9qosDpEuHdUMpKEqxiRPd+So8gMqdl+ysIk+4xers9fGDOi/0ohttOlMenMAUXiiD7I9Tm1ranioc64pctZsDtewyiMo/QWZvcJfICueW3t5W7vc=
sso-service-path: /SAML2/Redirect/SSO
temp-cache-duration: 5m
tls-ca: idp\ca\ca.crt
tls-certificate: idp\certificate.pem.crt
tls-private-key: idp\mykey.pem
user-cache-duration: 8h
users:
- attributes:
    FirstName:
    - John
    FullName:
    - John Doe
    SurName:
    - Doe
  name: CN=John Doe, OU=lite-idp sample, O=autogenerated, L=the internet
- attributes:
    FirstName:
    - Aaron
    FullName:
    - Aaron Donovan
    SurName:
    - Donovan
  name: amdonov
  password: $2a$10$U41uarKrlduOofvJRC724.7V7RRZOciyC4TZ4UAQUtWuPuKVvByR.

Metadata file from sp

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-22T10:27:56.072Z" entityID="http://localhost:8000/saml/metadata">
  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-22T10:27:56.0717049Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
    <KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>MIID6zCCAtOgAwIBAgIUQiPqrlxXdGXbuGCs5b8VAUMpAygwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxEjAQBgNVBAcMCXNpbmdhcG9yZTEMMAoGA1UECgwDREJTMQwwCgYDVQQLDANJVFQxEzARBgNVBAMMCm9wLWJhY2tlbmQxHDAaBgkqhkiG9w0BCQEWDW9wZGV2QGRicy5jb20wHhcNMjAwOTA3MDMwMTM0WhcNMjMxMjIxMDMwMTM0WjCBhDELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCXNpbmdhcG9yZTESMBAGA1UEBwwJc2luZ2Fwb3JlMQwwCgYDVQQKDANEQlMxDDAKBgNVBAsMA0lUVDETMBEGA1UEAwwKb3AtYmFja2VuZDEcMBoGCSqGSIb3DQEJARYNb3BkZXZAZGJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAf0/wm0mR19Inl3uwLBB2OBlmDc4W8DoschxdS0FnBDbQFteIJmqsxivylBER9XgN8HICgj7pM2Xd0o93sxSWsd2JdKbLUyBlpC1ElaptgHQYsnncFxlFA6BrWhoSf13KUgpxg+MmtnFhr+5Zab12Yavhm71jcJMsACK1DyWXRxLa+xmODW05e22M6c69m53824sfoQKe/0LA+r1KxeAOtIDTEAzwkdWnw3e9JGcXEE3dzPF2d89dgY2ZTNRYUe3hTyUk6WiIIfcyPivBPqQcZJsMK+jnJ353VhrDkmeVcR193mvVhsW7hit4mwIw+XrCFTSJB+VwSweHQtBaWvECAwEAAaNTMFEwHQYDVR0OBBYEFHlg0nvPdRLB2y9m5NusFtD/wTkdMB8GA1UdIwQYMBaAFHlg0nvPdRLB2y9m5NusFtD/wTkdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALtuqY85WuIQ96mVtyt5BzYGdEi55WxXxgK8bLweZ/t+JbfjQleoCk/2zRWZ64aax/kBFMe+MJUWe8agZsIR8QBDdiGY9VBjW0iNGlW98qhQmR6NxDJSh7KxvGZ2kLvsAQxp72JZBJL1Lae4WDXzRoyeKuobRzggjQf8QkKKcMqeOLNpEBK6uAb+mgouodiqjgGt+dFgFcX7vC8lAVq2UBJZ0JZempGkAI8ysGy9qosDpEuHdUMpKEqxiRPd+So8gMqdl+ysIk+4xers9fGDOi/0ohttOlMenMAUXiiD7I9Tm1ranioc64pctZsDtewyiMo/QWZvcJfICueW3t5W7vc=</X509Certificate>
        </X509Data>
      </KeyInfo>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
    </KeyDescriptor>
    <KeyDescriptor use="signing">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>MIID6zCCAtOgAwIBAgIUQiPqrlxXdGXbuGCs5b8VAUMpAygwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxEjAQBgNVBAcMCXNpbmdhcG9yZTEMMAoGA1UECgwDREJTMQwwCgYDVQQLDANJVFQxEzARBgNVBAMMCm9wLWJhY2tlbmQxHDAaBgkqhkiG9w0BCQEWDW9wZGV2QGRicy5jb20wHhcNMjAwOTA3MDMwMTM0WhcNMjMxMjIxMDMwMTM0WjCBhDELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCXNpbmdhcG9yZTESMBAGA1UEBwwJc2luZ2Fwb3JlMQwwCgYDVQQKDANEQlMxDDAKBgNVBAsMA0lUVDETMBEGA1UEAwwKb3AtYmFja2VuZDEcMBoGCSqGSIb3DQEJARYNb3BkZXZAZGJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAf0/wm0mR19Inl3uwLBB2OBlmDc4W8DoschxdS0FnBDbQFteIJmqsxivylBER9XgN8HICgj7pM2Xd0o93sxSWsd2JdKbLUyBlpC1ElaptgHQYsnncFxlFA6BrWhoSf13KUgpxg+MmtnFhr+5Zab12Yavhm71jcJMsACK1DyWXRxLa+xmODW05e22M6c69m53824sfoQKe/0LA+r1KxeAOtIDTEAzwkdWnw3e9JGcXEE3dzPF2d89dgY2ZTNRYUe3hTyUk6WiIIfcyPivBPqQcZJsMK+jnJ353VhrDkmeVcR193mvVhsW7hit4mwIw+XrCFTSJB+VwSweHQtBaWvECAwEAAaNTMFEwHQYDVR0OBBYEFHlg0nvPdRLB2y9m5NusFtD/wTkdMB8GA1UdIwQYMBaAFHlg0nvPdRLB2y9m5NusFtD/wTkdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALtuqY85WuIQ96mVtyt5BzYGdEi55WxXxgK8bLweZ/t+JbfjQleoCk/2zRWZ64aax/kBFMe+MJUWe8agZsIR8QBDdiGY9VBjW0iNGlW98qhQmR6NxDJSh7KxvGZ2kLvsAQxp72JZBJL1Lae4WDXzRoyeKuobRzggjQf8QkKKcMqeOLNpEBK6uAb+mgouodiqjgGt+dFgFcX7vC8lAVq2UBJZ0JZempGkAI8ysGy9qosDpEuHdUMpKEqxiRPd+So8gMqdl+ysIk+4xers9fGDOi/0ohttOlMenMAUXiiD7I9Tm1ranioc64pctZsDtewyiMo/QWZvcJfICueW3t5W7vc=</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/saml/slo" ResponseLocation="http://localhost:8000/saml/slo"></SingleLogoutService>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/saml/acs" index="1"></AssertionConsumerService>
  </SPSSODescriptor>
</EntityDescriptor>

Any idea on what's causing the problem?

last61474 avatar Oct 20 '20 10:10 last61474

Has anybody had any luck with this?

jlewallen avatar Dec 10 '20 17:12 jlewallen

I'm facing exactly the same problem. For Service Provider I'm using https://github.com/crewjam/saml package; SSL Certificate on both side using Sectigo that support SSL SHA-256 ECDSA Algorithm. I'm sure this is the cause. Like the note "ECDSA certificates cannot currently be used for signing". Has ECDSA not been supported until now? https://pkg.go.dev/crypto/ecdsa. is this package able to do the ECDSA sign process? Thanks in advance

yusrenaltair avatar Dec 31 '21 16:12 yusrenaltair