mock-saml icon indicating copy to clipboard operation
mock-saml copied to clipboard

Published 20 hours ago verified publisher icon boxyhq

Error: Invalid signature

Open sameencse opened this issue 1 year ago • 5 comments

Hi, Integrated mock-saml for 2 of our product. One is working fine and for other product when hitting the login url page, it is showing the Error: Invalid signature

Could you please help me how to resolve this issue? Note : In the server log, i can see it is generating the sp meta data file, which is fine but afterwards no other errors.

sameencse avatar Mar 27 '24 12:03 sameencse

That error would typically mean there is a mismatch in either the certificate or the signature of the SAML request. Can you please check the SAML request generation on your side in the case of the 2nd product where it fails.

deepakprabhakara avatar Mar 27 '24 12:03 deepakprabhakara

Hi Thanks for your prompt response. Tried all the option but no luck FYI, the same product was working fine with Test Shib and samltest.id but not working with this mock saml Now, i tried with jumpcloud trail version, it is working fine I am suspecting there is an issue with Mock SAML. ( even no way to see the console log)

sameencse avatar Apr 01 '24 12:04 sameencse

@sameencse If you can provide us with the SAML request, we can investigate.

deepakprabhakara avatar Apr 01 '24 12:04 deepakprabhakara

@deepakprabhakara Please see the information below. POST https://mocksaml.com/api/saml/sso HTTP/1.1 sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: app url Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: http app ulr Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en,en-US;q=0.9,en-IN;q=0.8

HTTP/1.1 500 Internal Server Error ETag: "oy2c1p0p68o" Content-Length: 24 Date: Mon, 01 Apr 2024 14:20:55 GMT Connection: keep-alive Keep-Alive: timeout=5

POST RelayState: http://app_url/callback?client_name=SAML2Client SAMLRequest: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwOi8vZGV2angyLmplbnphYmFyLm5ldDoxOTI4MC9qZW56YWJhcmZhLXN0dWRlbnRzZWxmc2VydmljZS11aS9jYWxsYmFjaz9jbGllbnRfbmFtZT1TQU1MMkNsaWVudCIgRGVzdGluYXRpb249Imh0dHBzOi8vbW9ja3NhbWwuY29tL2FwaS9zYW1sL3NzbyIgRm9yY2VBdXRobj0iZmFsc2UiIElEPSJfZGU0NTI0MGU4OTJmNGEyNmJkMjM1ZjA3Y2I5OGVmMzEwODkxYjMxIiBJc1Bhc3NpdmU9ImZhbHNlIiBJc3N1ZUluc3RhbnQ9IjIwMjQtMDQtMDFUMTQ6MjA6NTIuOTExWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwOi8vZGV2angyLmplbnphYmFyLm5ldDoxOTI4MC9qZW56YWJhcmZhLXN0dWRlbnRzZWxmc2VydmljZS11aTwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNfZGU0NTI0MGU4OTJmNGEyNmJkMjM1ZjA3Y2I5OGVmMzEwODkxYjMxIj4KPGRzOlRyYW5zZm9ybXM+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjwvZHM6VHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPgo8ZHM6RGlnZXN0VmFsdWU+VkdXenQ1c2llZldsZGdNZDR1REdTaGxNTmZPVnZaSmFRZkRCdm80WGlRaz08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+CkdUZEhoKzBjR3pjb1VvbDI1RndGb3F6dnpkRndqSitIRGRuNU5TSC9PbHZEU1RnSzlubmdCUUdCRU5QeVV2dlZXL1FKcmQvcWNkaEImIzEzOwozVkgvUC9jRkNZN3piVGFuYzZ6MFRXTnc0Ynp2U2Y4V3FuSzMrdTJqS2YyQkVIU3ZaYnJPU2tNMUlsQzY0aGhaTS9iNzlHK01sUFErJiMxMzsKSzRjUlJFUVQvK0pXVDdLdkFtQUNVaE5YQTJNRGtqR3c1THE0azA2S3VibXFRVFEwKzROZGlTRnJRcUNqYldzR3MvVFcwNU5EZVNKRyYjMTM7ClBCa21wdjRLTURLYmdFdWdDdm1CVVFKOUFvQ08yMndpYUVXb3hjRmpTRHdmbnVBRllsRlpXVFFvaUM1US9wMlFUN2IxK3ZoK0FTVTgmIzEzOwo4S1RqU2NDNDI0L1FMNi9abkxkRjgyRFNWRGlLaEo4RVRXV25Udz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkVENDQWwyZ0F3SUJBZ0lFTDMrYWVEQU5CZ2txaGtpRzl3MEJBUXNGQURCck1SQXdEZ1lEVlFRR0V3ZFZibXR1YjNkdU1SQXcKRGdZRFZRUUlFd2RWYm10dWIzZHVNUkF3RGdZRFZRUUhFd2RWYm10dWIzZHVNUkF3RGdZRFZRUUtFd2RWYm10dWIzZHVNUkF3RGdZRApWUVFMRXdkVmJtdHViM2R1TVE4d0RRWURWUVFERXdaa1pYWnFlREl3SGhjTk1qQXdOekF5TVRrMU1ESXlXaGNOTXpBd05qTXdNVGsxCk1ESXlXakJyTVJBd0RnWURWUVFHRXdkVmJtdHViM2R1TVJBd0RnWURWUVFJRXdkVmJtdHViM2R1TVJBd0RnWURWUVFIRXdkVmJtdHUKYjNkdU1SQXdEZ1lEVlFRS0V3ZFZibXR1YjNkdU1SQXdEZ1lEVlFRTEV3ZFZibXR1YjNkdU1ROHdEUVlEVlFRREV3WmtaWFpxZURJdwpnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDTWRxREpTTGRRa05XaDZZQTBwRUlQc0lXZDF3UDlSODZkCkplbU5IY3ZmYkJ2VmwxemkzR0wrQ2tWekt0dWlYekpMZElpMnhPMVd1aWFHeWE5bXdtQnlvQ0ZuL1Q2Z2FHUzVzSy91NWRRbWtRUmkKSUZWK0RUeDNpbzNhTVdIeUxiTEcyZVFJeEJBMWxMMkF4L01yenlxUURKUytUWXBVaDlmNkNmd3BvM3k0MHF1UmFLeWUzZ09RczdxbQpnNWZMaGhmRDJKcm11VTBqRWY3YTEyNHl1enNLc2RjMzIxYzE0NVFoekcxWUw2OHlBb3IyaHV5K1RlSms1Zkx0OHZmcURNYnkvN1pnCkkwWEE4bngzREs5eDFhWmxpTFMwaXVwQ1NjWHlKNzZFUVJSTWVrNURXWDRSSkhFUjJrS1UxWEZ5RSt6N2FTSmc5MWgwMHRON3lVQzMKQTZlREFnTUJBQUdqSVRBZk1CMEdBMVVkRGdRV0JCU2hyVEF4Zk94MDJ4ZkpkV2ZOdmdDRjNMb1pSREFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQUwzQ1Z2Q0VIL3hoQXY1RGlkd1VYU002M0V4aWwvcnJ0WEVUMmhwNjZ2K2YrcXF0T1BDa2w2L25WbUFWRE5DbjB3dzVzCjlOc3E5NllFdWJ2NVFYZ1I1NHFpYnRxdHg5eUNOWlpHV3JyT3llanVmaHgzenlvcUlsaFl4MTF4K2dZMEVRRGhhZXM2ZzVOc0xtVzMKZS9IZUZMR3QrUmJ3QkliODdvNjVreDNzYUdwdFdvT2FPbWZsUFNUWk5hamtZVzB6czRTdGtNWHpUK0FrVW5Ec3BFSGR6QzlyZ2p6awpGZ0cxWFEwdWxlOFE0OGk2cHZ4RllaNmZORGZOdVBOc3RJbVlNeHFlTk1MRmNod1VzaWJyTGNBamo4QkRzelNzSDIwUDZKSHYycVprClI4VmZ3L1NLU1dOM0J2QVoxS0ZoSG5tZ0Vtcy9jMTI2c2NRRkNib1ZsSU4vYVE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjwvc2FtbDJwOkF1dGhuUmVxdWVzdD4= SAML: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="app_acs_url" Destination="https://mocksaml.com/api/saml/sso" ForceAuthn="false" ID="_de45240e892f4a26bd235f07cb98ef310891b31" IsPassive="false" IssueInstant="2024-04-01T14:20:52.911Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >app url</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ds:SignedInfo <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_de45240e892f4a26bd235f07cb98ef310891b31"> ds:Transforms <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> ds:DigestValueVGWzt5siefWldgMd4uDGShlMNfOVvZJaQfDBvo4XiQk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> ds:SignatureValue GTdHh+0cGzcoUol25FwFoqzvzdFwjJ+HDdn5NSH/OlvDSTgK9nngBQGBENPyUvvVW/QJrd/qcdhB 3VH/P/cFCY7zbTanc6z0TWNw4bzvSf8WqnK3+u2jKf2BEHSvZbrOSkM1IlC64hhZM/b79G+MlPQ+ K4cRREQT/+JWT7KvAmACUhNXA2MDkjGw5Lq4k06KubmqQTQ0+4NdiSFrQqCjbWsGs/TW05NDeSJG PBkmpv4KMDKbgEugCvmBUQJ9AoCO22wiaEWoxcFjSDwfnuAFYlFZWTQoiC5Q/p2QT7b1+vh+ASU8 8KTjScC424/QL6/ZnLdF82DSVDiKhJ8ETWWnTw== </ds:SignatureValue> ds:KeyInfo ds:X509Data ds:X509CertificateMIIDdTCCAl2gAwIBAgIEL3+aeDANBgkqhkiG9w0BAQsFADBrMRAwDgYDVQQGEwdVbmtub3duMRAw DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD VQQLEwdVbmtub3duMQ8wDQYDVQQDEwZkZXZqeDIwHhcNMjAwNzAyMTk1MDIyWhcNMzAwNjMwMTk1 MDIyWjBrMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtu b3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMQ8wDQYDVQQDEwZkZXZqeDIw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCMdqDJSLdQkNWh6YA0pEIPsIWd1wP9R86d JemNHcvfbBvVl1zi3GL+CkVzKtuiXzJLdIi2xO1WuiaGya9mwmByoCFn/T6gaGS5sK/u5dQmkQRi IFV+DTx3io3aMWHyLbLG2eQIxBA1lL2Ax/MrzyqQDJS+TYpUh9f6Cfwpo3y40quRaKye3gOQs7qm g5fLhhfD2JrmuU0jEf7a124yuzsKsdc321c145QhzG1YL68yAor2huy+TeJk5fLt8vfqDMby/7Zg I0XA8nx3DK9x1aZliLS0iupCScXyJ76EQRRMek5DWX4RJHER2kKU1XFyE+z7aSJg91h00tN7yUC3 A6eDAgMBAAGjITAfMB0GA1UdDgQWBBShrTAxfOx02xfJdWfNvgCF3LoZRDANBgkqhkiG9w0BAQsF AAOCAQEAL3CVvCEH/xhAv5DidwUXSM63Exil/rrtXET2hp66v+f+qqtOPCkl6/nVmAVDNCn0ww5s 9Nsq96YEubv5QXgR54qibtqtx9yCNZZGWrrOyejufhx3zyoqIlhYx11x+gY0EQDhaes6g5NsLmW3 e/HeFLGt+RbwBIb87o65kx3saGptWoOaOmflPSTZNajkYW0zs4StkMXzT+AkUnDspEHdzC9rgjzk FgG1XQ0ule8Q48i6pvxFYZ6fNDfNuPNstImYMxqeNMLFchwUsibrLcAjj8BDszSsH20P6JHv2qZk R8Vfw/SKSWN3BvAZ1KFhHnmgEms/c126scQFCboVlIN/aQ==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml2p:AuthnRequest>

sameencse avatar Apr 01 '24 14:04 sameencse

The digest values don't match when comparing the signature. Would it be possible to give us more information on how you are constructing and signing the SAML request?

deepakprabhakara avatar Apr 01 '24 20:04 deepakprabhakara