Is still happening: Error: SAML Assertion signature check failed! (checked 1 certificate(s))

[davidgatti]

2017-05-08T12:18:51.995668+00:00 app[web.1]: Error: SAML Assertion signature check failed! (checked 1 certificate(s))
2017-05-08T12:18:51.995688+00:00 app[web.1]:     at /app/node_modules/saml2-js/lib-js/saml2.js:633:20
2017-05-08T12:18:51.995689+00:00 app[web.1]:     at fn (/app/node_modules/saml2-js/node_modules/async/lib/async.js:746:34)
2017-05-08T12:18:51.995690+00:00 app[web.1]:     at /app/node_modules/saml2-js/node_modules/async/lib/async.js:1213:16
2017-05-08T12:18:51.995691+00:00 app[web.1]:     at /app/node_modules/saml2-js/node_modules/async/lib/async.js:166:37
2017-05-08T12:18:51.995691+00:00 app[web.1]:     at /app/node_modules/saml2-js/node_modules/async/lib/async.js:706:43
2017-05-08T12:18:51.995692+00:00 app[web.1]:     at /app/node_modules/saml2-js/node_modules/async/lib/async.js:167:37
2017-05-08T12:18:51.995693+00:00 app[web.1]:     at /app/node_modules/saml2-js/node_modules/async/lib/async.js:1209:30
2017-05-08T12:18:51.995693+00:00 app[web.1]:     at /app/node_modules/saml2-js/lib-js/saml2.js:607:16
2017-05-08T12:18:51.995694+00:00 app[web.1]:     at Timeout._onTimeout (/app/node_modules/saml2-js/lib-js/saml2.js:370:17)
2017-05-08T12:18:51.995695+00:00 app[web.1]:     at ontimeout (timers.js:380:14)
2017-05-08T12:18:51.995696+00:00 app[web.1]:     at tryOnTimeout (timers.js:244:5)
2017-05-08T12:18:51.995696+00:00 app[web.1]:     at Timer.listOnTimeout (timers.js:214:5)

Based on the issue here #34, this error seamed to be solved in 2015, but sadly I'm using "saml2-js": "1.11.0" and this is still happening 😟:

The code that I'm using goes like this:

let fs = require('fs');
let saml2 = require('saml2-js');
let express = require('express');
let environment_based_url = require(process.cwd() + '/helpers/environment_based_url');

let router = express.Router();

//
//	Service Provider Options
//
let sp_options = {
	entity_id: "Company_name",
	private_key: fs.readFileSync("./certificates/key.pem").toString(),
	certificate: fs.readFileSync("./certificates/cert.pem").toString(),
	assert_endpoint: environment_based_url() + "/sso/assertion"
};

//
//	Identity Provider Options
//
let idp_options = {
	sso_login_url: "https://accounts.google.com/o/saml2/idp?idpid=C026afnqm",
	sso_logout_url: "https://accounts.google.com/o/saml2/idp?idpid=C026afnqm",
	certificates: fs.readFileSync("./certificates/GoogleIDPCertificate.pem.txt").toString(),
	allow_unencrypted_assertion: true
};

//
//	This route will assert the request from Google
//
router.post('/', function(req, res, next) {

	//
	//	1.	Call service provider constructor with options
	//
	let sp = new saml2.ServiceProvider(sp_options);

	//
	//	2.	Call identity provider constructor with options
	//
	let idp = new saml2.IdentityProvider(idp_options);

	//
	//	3.	Pass the response that we got from the IDP
	//
	let options = {
		request_body: req.body
	};

	//
	//	4.	Check the response
	//
	sp.post_assert(idp, options, function(error, saml_response) {

		if(error)
		{
			return next(error);
		}

		//
		//	->	Display the response
		//
		res.send(saml_response);
		res.end()
	});

});

module.exports = router;

For testing I'm using Google SSO, and when I use the test URL that they provide I get this:

1. Click... opens a new page with a list of Google accounts that I can choose from
2. I select the one that I want to use
3. I get redirected back to my assertion page
4. The post data from Google gets through
5. But Assertion check fails

I hope that someone can point to what I'm doing incorrectly, because I'm out of ideas.

[cpurtlebaugh]

I'm experiencing this as well - did you end up finding a solution??

[davidgatti]

@cpurtlebaugh Yes, see if this helps :)

//
//	1.	Call service provider constructor with options
//
let sp = new saml2.ServiceProvider({});

//
//	2.	Call identity provider constructor with options
//
let idp = new saml2.IdentityProvider({
	certificates: CERTIFICATE_FROM_SERVICE_PROVIDER_AS_STRING,
	allow_unencrypted_assertion: true
});

//
//	3.	Pass the response that we got from the IDP
//
let options = {
	request_body: {
		RelayState: req.body.RelayState,
		SAMLResponse: req.body.SAMLResponse,
	}
};

//
//	4.	Check the response
//
sp.post_assert(idp, options, function(error, saml_response) {

	console.log(saml_response)

	//
	//	1.	Check for potential errors
	//
	if(error)
	{
		return reject(error);
	}

	//
	//	2.	Add the email to the container
	//
	container.email = saml_response.user.name_id

	//
	//	->	Move to the next chain
	//
	return resolve(container)
});

[dyaacov]

happens to me with the same code above (I don't have RelayState)

[dyaacov]

these options fixed my issue:

const options = {
request_body: {
SAMLResponse: req.body.saml,
},
ignore_signature: true,
require_session_index: false,
}

[davidgatti]

@dyaacov I would not ignore the signature, it defeats the purpose ;)

[dyaacov]

So, what am I missing?
I used CERTIFICATE_FROM_SERVICE_PROVIDER_AS_STRING

[davidgatti]

Maybe the path to the certificate is wrong? Or you saved the cert in the file incorrectly? (do not copy and paste the cert file here)

[yvadugu-insight]

I used certificate from IDP as String instead of reading a file, that fixed my issue

[galkahana]

I had this error with one of the IDPs i'm using. cert was fine. Two things helped to resolve this:

1. Force upgrade xml-crypto to 1.2.0 yarn add xml-crypto@latest. the later version is a bit more able.
2. Changed the code a bit be more lax as to the location of the signature.
   changed this:
   signature = xmlcrypto.xpath(doc, "./*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")
   to this:
   signature = xmlcrypto.xpath(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")