0

I am developing an idp server. I am working on a project that interprets samlrequest from sp, creates samlresponse and sends it to sp. The response itself has been completed, but I am constantly encountering validation errors. "Response doesn't have any valid assertion which would pass subject validation" The sp server does not provide detailed logs on why the response I sent was not validated... When I checked the response I sent using the onelogin response validate tool, I checked “THE SAML RESPONSE IS VALID.”

The only way to check whether SSO can be successful with my response form is to try to send the same response as ssocircle's response (since ssocircle is linked to the SP you are trying to connect to). The only difference between my assertiondata and sso's assertiondata is the space and line breaks between the SignatureValue and X509Certificate tags and the data. I wonder if this can affect the response assertion validation.

This is the response form I am sending.(Assertion)

              **<ds:SignatureValue>
                blablablablablablabla</ds:SignatureValue>**
            <ds:KeyInfo>
                <ds:X509Data>
                    **<ds:X509Certificate>blablabla
                        blablablablablablablabla
                        blablablablablablablabla
                        blablablablablablablabla</ds:X509Certificate>**
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>

and this is ssocircle's response

            **<ds:SignatureValue>
                        blablablablablablablabla
                        blablablablablablablabla
                        blablablablablablablabla
            </ds:SignatureValue>**
            <ds:KeyInfo>
                <ds:X509Data>
                    **<ds:X509Certificate>
                        blablablablablablablabla
                        blablablablablablablabla
                        blablablablablablablabla
                        blablablablablablablabla
                        blablablablablablablabla
                    </ds:X509Certificate>**
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
Improve this question
1
  • it may be the canonicalization, which is essentially how the XML is represented "on the wire". If the XML is signed then extra space added then it won't pass validation. stackoverflow.com/questions/1937297/…
    – codebrane
    Commented Mar 14 at 8:37

1 Answer 1

Reset to default
0

It pretty much depends on where the line breaks and spaces are. In your case, the line breaks and spaces were in the SignInfo part of the signature of an assertion, which didn't impact the signature validation of the assertion. However, "Response doesn't have any valid assertion which would pass subject validation" does not seem like a signature problem to me. This question suggests better ideas about where to look: Response doesn't have any valid assertion which would pass subject validation

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.