New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The signature verified correctly with the key contained in the signature, but that key is not trusted. #493
Comments
It's the Idp certificate that's not trusted. There's something wrong in the configuration of the IdentityProvider/Federation. You're correct in that the serviceCertificate is not involved for the ACS endpoint. |
<identityProviders>
<add entityId="id" metadataLocation="url" signOnUrl="url" logoutUrl="url" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/idp.crt" />
</add>
</identityProviders> Do you mean that configuration? Does the certificate have to be imported somewhere on the server? What confuses me is that this configuration worked on staging. Thanks for the quick response! |
Yes, that's the configuration. The error message says that the certificate used by the Idp to sign the response is not the one you've configured in |
I finally realized they probably have 2 separate certificates, as they have 2 separate idp's (one for test, one for production). Just replaced the old test-.crt, thanks! |
Hi I wonder what using a wildcard certificate would have in this scenario? Regards Sent from my iPad
|
@agricfowl AuthServices doesn't care what name there is in the certificate. AuthServices only cares about the public key and ensures it is the one that was used to sign any data from the IDp. You can use a wildcard cert if you want. Or a cert for another site you have. But I would really recommend using a unique signing key for SAML, that is not used for anything else in your setup. |
I'm having a similar problem but am not sure about the contents of the signingCertificate file - is this a certificate file or a plain text type with ---- BEGIN CERTIFICATE ---- ... etc. How do I get the public key? Is this something I should be able to get from the IdP or is this something I can extract from the SAML response itself? I would very much appreciate any help with this. |
@lewis-mosaique The Idp should provide you with the certificate. The easiest way is if the Idp provides you with metadata, then you can load that, which will include the cert. Otherwise you can extract the certificate from metadata or an existing response with a signature (make sure that you really extract it from a legit response though) and just save the ---- BEGIN CERTIFICATE --- parts to a file. |
AndersAbel - Thanks I have built a certificate using the X509 information from the SAML message itself, formatted it and saved it. This file is then reference via the signingCertificate - all now works! The X509 node from the IdP provided metadata does not match that in the SAML message! |
@AndersAbel - I'm running into the same issue (MVC - .NET4.5 - Kentor Version 0.19) When I set it up for prod against production IDP it failed, so I realized that I need to change the certificate and reference the one for prod and it still did not work. To replicate the issue, I pointed my dev server SAML configuration to production IDP using prod certificated and this works, but it fails with the same certificate in prod server - I do get a Successful response from IDP so I'm not sure what else could be wrong. |
@dev4201 Upgrade to latest version first, to make sure you get accurate error messages. Then enable logging. |
@AndersAbel I upgraded to the latest version 0.22 and since I'm on .NET 4.5 I also added Would you be able to point me how to enable verbose logging for this? |
I also get this exception when I try to run SampleIdentityServer4: https://github.com/Sustainsys/Saml2/tree/netstandard/Samples/SampleIdentityServer4
Should I use a different certificate at this line? https://github.com/Sustainsys/Saml2/blob/netstandard/Samples/SampleIdentityServer4/Startup.cs#L56 Or should I add another certificate? |
Got it fixed by also copying the X509Certificate from https://stubidp.sustainsys.com/Metadata/BrowserFriendly. That was different from what was in Kentor.AuthServices.StubIdp.cer. |
https://github.com/KentorIT/authservices/blob/master/Kentor.AuthServices/XmlHelpers.cs#L247
This exception is thrown when the idp I'm integrating with has redirected the user to our site (/Acs). I've generated a self-signed serviceCertificate. At first I thought there was an issue with it, but does that make sense for the acs-endpoint (this is when logging in)? Is it the idp-certificate that isn't being trusted? I'm guessing the latter, but this exceptions wasn't being thrown on the staging-server, whereas the only difference is that the staging-server doesn't use https, so I don't quite know where to start. Any help is appreciated.
The text was updated successfully, but these errors were encountered: