saml
saml copied to clipboard
Published
20 hours ago •
crewjam
crewjam
cannot validate signature on Response: Could not verify certificate against trusted certs
Hi, I am using version v0.4.5, i got redirected on /saml/acs where my request returns with a forbidden code, and this error happens intermittent, below is the IDP metadata and IDP response,
based on the call stack below, the roots certs come from IDP metadata and cert in the response matches, so I compared the cert, it matches so it should NOT throw error
https://github.com/crewjam/saml/blob/v0.4.5/service_provider.go#L817 https://github.com/crewjam/saml/blob/v0.4.5/service_provider.go#L897 https://github.com/russellhaering/goxmldsig/blob/3541f5e554eefd0d2ef501e27544650d62bf5d22/validate.go#L460
not sure if it's the same as #167, @gourlaa could you pls advise?
@crewjam appreciate if you can take a look, the issue disappear after restarting the app but it comes back once in a while
IDP metadata
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://sso.xxx.com/saml-idp/xxx/metadata/">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>C1</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>C1</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.xxx.com/saml-idp/xxx/logout/"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.xxx.com/saml-idp/xxx/logout/"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.xxx.com/saml-idp/xxx/login/"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.xxx.com/saml-idp/xxx/login/"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
IDP response
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://api.xxx.com/saml/acs" ID="_ee1c1c4ee1a7458e8c027f174c42869d" InResponseTo="id-9532f46d81be47c034fd078a8e853f97bff349b0" IssueInstant="2021-03-26T01:02:29Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.xxx.com/saml-idp/xxx/metadata/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_ee1c1c4ee1a7458e8c027f174c42869d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>MmQoS2xJ4GXG9I</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>eKfUIa+HUbCISqhk3ZXD71</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>C1</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dc7f5bbb1afe45c8bd18a1b60ba7de2c" IssueInstant="2021-03-26T01:02:29Z" Version="2.0">
<saml:Issuer>http://sso.xxx.com/saml-idp/xxx/metadata/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_dc7f5bbb1afe45c8bd18a1b60ba7de2c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>0y0EA54Evec</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ijbpbqKULn1ibfePkLk5HZ3pfDsLcemrjXiKvYosRTWM9wnsm4d9</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>C1</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" SPNameQualifier="https://api.xxx.com/saml/metadata">user</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="id-9532f46d81be47c034fd078a8e853f97bff349b0" NotOnOrAfter="2021-03-26T01:17:29Z" Recipient="https://api.xxx.com/saml/acs" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-03-26T00:47:29Z" NotOnOrAfter="2021-03-26T01:17:29Z">
<saml:AudienceRestriction>
<saml:Audience>https://api.xxx.com/saml/metadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-03-26T01:02:29Z" SessionIndex="kuvBUJH5nJUiI2X1oT">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Authentication_status">
<saml:AttributeValue>password only</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
