python-saml: Getting "Signature validation failed. SAML Response rejected"

I’m getting the following error when trying to process a IdP-initiated SAML2 response using python-saml and flask:

Signature validation failed. SAML Response rejected

I’m following the example here. My code is:

url_data = urlparse(request.url)
req = {
    "https": "on",
    "http_host": request.host,
    "server_port": url_data.port,
    "script_name": request.path,
    "get_data": request.args.copy(),
    "post_data": request.form.copy()
}
auth = OneLogin_Saml2_Auth(req, custom_base_path=app.config['SAML_PATH'])
auth.process_response()

In SAML_PATH, I have the following in my settings.json file:

{
    "strict": false,
    "debug": true,
    "sp": {
        "entityId": "[spEntityId]",
        "assertionConsumerService": {
            "url": "[acsUrl]",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        },
        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
        "x509cert": "[x509cert]",
        "privateKey": "[privateKey]"
    },
    "idp": {
        "entityId": "[idpEntityId]",
        "singleSignOnService": {
            "url": "http://dummy.com/saml2",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "singleLogoutService": {
            "url": "http://dummy.com/saml2",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "x509cert": "[x509cert]"
    },
    "security": {
        "nameIdEncrypted": false,
        "authnRequestsSigned": false,
        "logoutRequestSigned": false,
        "logoutResponseSigned": false,
        "signMetadata": false,
        "wantMessagesSigned": true,
        "wantAssertionsSigned": true,
        "wantNameIdEncrypted": false,
        "requestedAuthnContext": false
    }
}

As you can see, I’m using dummy values for the IdP singleSignOnService and singleLogoutService URLs. I don’t think I need them in my case as I just need to process the SAML Response, but I’m not completely sure about that. The response has a signed message and encrypted assertion:

    <?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="[Destination]" ID="[ID]" IssueInstant="2015-11-30T15:35:02.702Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        [Issuer]
    </saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="[ID]" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey Id="[ID]" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
                    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:CipherValue>
                            [CipherValue]
                        </xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>
                    [CipherValue]
                </xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml2:EncryptedAssertion>
</saml2p:Response>

I’ve verified that the x509cert and privateKey are correct. I’m new to SAML2, so I’m hoping it’s something simple 😃 Thank you in advance and please let me know if you need more information.

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 17 (5 by maintainers)

Most upvoted comments

my response is validated on Samltool.com still after sending i got the error Signature validation issue. can anyone tell me what could be the issue I split my X509Certificate into 64 character lines. This could be the issue?

+1
poojated on Mar 23, 2020

The Signature element does not include a KeyInfo element , currently required by the Toolkit: https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/utils.py#L927

In the ruby-saml toolkit I removed this requirement: https://github.com/onelogin/ruby-saml/commit/3c9dd5eec80da8cb805fb41a059913f718211908

so I plan to avoid this requirement on the rest of toolkits, but can’t say to you how long it will take, so try to set the IdP to include that KeyInfo element.

+1
pitbulk on Dec 11, 2015

@clane-axial, Can you check if the SAMLResponse is also invalidated at this tool? https://www.samltool.com/validate_response.php

Signature validation is something complex, a simple extra space can invalidate your XML. Also notice that your SAMLResponse contains a EncryptedAssertion. In order to check the signature, the toolkit first decrypt the EncryptedAssertion and later try to find an Assertion signed in order to validate it. Maybe the issue is related to some problem in this step, maybe some namespace problem.

You can try to decrypt the EncryptedAssertion here: https://www.samltool.com/decrypt.php and see what is inside.

+1
pitbulk on Dec 9, 2015
Read more comments on GitHub
← saml_idp: Single Log-Out Does Not Appear to Support Mupltile SPs
python-saml: samlp:LogoutResponse signature verification fails with ADFS →