Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERR_FAILED_TO_VERIFY_SIGNATURE when parsing SAML response #459

Open
DrJest opened this issue Nov 23, 2021 · 3 comments
Open

ERR_FAILED_TO_VERIFY_SIGNATURE when parsing SAML response #459

DrJest opened this issue Nov 23, 2021 · 3 comments

Comments

@DrJest
Copy link

DrJest commented Nov 23, 2021

Hi,
I'm trying to build a SP on top of samlify. Everything works fine until I get the response from the IDP. Then I get ERR_FAILED_TO_VERIFY_SIGNATURE.
I tried to verify the signature with the parseLoginResponse and the sig.checkSignature of xml-crypto, but both of them give invalid signature.
But, by copy-pasting the response from the console to https://www.samltool.com/validate_response.php I get a valid response.
Both the response and the assertion are signed. guess that might be the problem?
image
image
@tngan
Copy link
Owner

tngan commented Nov 24, 2021

@DrJest Here is the example for working with signed message + signed assertion.

If you don't mind to share the response (taking out the sensitive information), and send to [email protected].

samlify/test/flow.ts

Lines 736 to 750 in 9a56afd

test('send login response with signed assertion + signed message and parse it', async t => {
const spWantMessageSign = serviceProvider({
...defaultSpConfig,
wantMessageSigned: true,
});
const user = { email: '[email protected]' };
const { id, context: SAMLResponse } = await idpNoEncrypt.createLoginResponse(spWantMessageSign, sampleRequestInfo, 'post', user, createTemplateCallback(idpNoEncrypt, spWantMessageSign, binding.post, user));
// receiver (caution: only use metadata and public key when declare pair-up in oppoent entity)
const { samlContent, extract } = await spWantMessageSign.parseLoginResponse (idpNoEncrypt, 'post', { body: { SAMLResponse } });
t.is(typeof id, 'string');
t.is(samlContent.startsWith('<samlp:Response'), true);
t.is(samlContent.endsWith('/samlp:Response>'), true);
t.is(extract.nameID, '[email protected]');
t.is(extract.response.inResponseTo, 'request_id');
});

@Sf-Skaylink
Copy link

Hey @tngan and @DrJest ,
I have the same problem, could you find a solution?
Interesting is that I use the chrome extension SAML-tracer and i'm definitely getting a correct SAML response incl. bearer token back. i just can't use it because the parseLoginResponse fails due to the error.

@liviu-gheorghe
Copy link

Same problem here, can anyone help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DrJest @tngan @liviu-gheorghe @Sf-Skaylink