I get the following error when trying to process an IdP initiated SAML2 response using python-saml and a bulb:
Signature validation failed. SAML Response rejected
I follow the example here . My code is:
url_data = urlparse(request.url) req = { "https": "on", "http_host": request.host, "server_port": url_data.port, "script_name": request.path, "get_data": request.args.copy(), "post_data": request.form.copy() } auth = OneLogin_Saml2_Auth(req, custom_base_path=app.config['SAML_PATH']) auth.process_response()
In SAML_PATH in my settings.json file there is the following:
{ "strict": false, "debug": true, "sp": { "entityId": "[spEntityId]", "assertionConsumerService": { "url": "[acsUrl]", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" }, "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified", "x509cert": "[x509cert]", "privateKey": "[privateKey]" }, "idp": { "entityId": "[idpEntityId]", "singleSignOnService": { "url": "http://dummy.com/saml2", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "singleLogoutService": { "url": "http://dummy.com/saml2", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "x509cert": "[x509cert]" }, "security": { "nameIdEncrypted": false, "authnRequestsSigned": false, "logoutRequestSigned": false, "logoutResponseSigned": false, "signMetadata": false, "wantMessagesSigned": true, "wantAssertionsSigned": true, "wantNameIdEncrypted": false, "requestedAuthnContext": false } }
As you can see, I used dummy values ββfor the IdP URLs singleSignOnService and singleLogoutService. I donβt think I need them in my case, since I just need to process the SAML response. I also use the same x509cert for SP and IdP. The response has a signed message and an encrypted statement:
<?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="[Destination]" ID="[ID]" IssueInstant="2015-11-30T15:35:02.702Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> [Issuer] </saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="[ID]" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey Id="[ID]" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" /> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue> [CipherValue] </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue> [CipherValue] </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAssertion> </saml2p:Response>
I checked that x509cert and privateKey are correct. I am new to SAML2, so I hope something is simple :) Thanks in advance!