Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unsupported signature algorithm error #33

Open
last61474 opened this issue Oct 20, 2020 · 2 comments
Open

unsupported signature algorithm error #33

last61474 opened this issue Oct 20, 2020 · 2 comments

Comments

@last61474
Copy link

last61474 commented Oct 20, 2020
edited

Hi, I am getting unsupported signature algorithm each time I try to login via SAML.

This is the url data:

https://127.0.0.1:9443/SAML2/Redirect/SSO?RelayState=lTWG557ErB0jdoEZGhp7uSOl7Am_zfx-1-qvj69EFPlRnWbS5SdQqKzH&SAMLRequest=nJJPj9MwEMW%2FiuV7Yudfs7U2kcpWiEoLWzWFA7epM6WWErt4JsB%2Be9R2kcolh73a8%2Ba9n%2F0eCcbhbFYTn%2FwOf05ILP6MgydzuWjkFL0JQI6MhxHJsDXd6vOzyVNtgAgju%2BDlneQ8rznHwMGGQYrNupGuTwqEHrLFYlkdy6yoQBe1Lo9F3R%2BXpa3qQ%2FlwqMqitFJ8w0gu%2BEbmqZZiQzThxhOD50bmOtdJppNc7zNtdGWqOl3UxXcp1kjsPPBVeWI%2Bk1Eqy%2BtUpzrNzLIsC3VJl6sd9i6iZdV1L1Ks%2FsE9BU%2FTiLHD%2BMtZ%2FLp7vu0xSg3BwnAKxOZBa60u%2BAosSbF9o%2FzgfO%2F8j%2FknOdyGyHza77fJ9qXby%2Fb6LebKGMXHEEfg%2BSWXE9cnx%2BuoQc%2BOX2U7k3NEhh4YHtWdVftWhy8w4ma9DYOzr%2B%2Bw5wieHHqWYjUM4fdTRGBsJMcJpWpvlv%2BXrv0bAAD%2F%2Fw%3D%3D

This is the decoded saml request in above url:

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-285c3afff17086a4650f9b0b781198e02974d762" Version="2.0" IssueInstant="2020-10-20T10:39:54.184Z" Destination="https://127.0.0.1:9443/SAML2/Redirect/SSO" AssertionConsumerServiceURL="http://localhost:8000/saml/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8000/saml/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-285c3afff17086a4650f9b0b781198e02974d762"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>WNxqn7Bi51VRJiA/RMxVv7eaYkY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>OWViufTSJVmmYkWMS8QgAOgmoJob3CNYoZTCYy+Khwt3oGFqRa3xxzG0k1NZoI257wIHNSrs6Za7gZgLN82CPQSs1+sW09u6FGhbOqYK2TJ0oTLLHs+3YyjqW8s5JCWhKYN1G/h8zAkdkYwnvS2T2DXssD9Cbwz0ZDx1O2TrYtfNfhh+4LZwCainB0K6i38FJZuNAry0cKCFullPMBboNRdPHw0jLoMqYje0I3jVe7fQfTfblfZ6U6eGbzz7rAXaQXFUh8AS+eaEId4YmMO5YkZ0qVRf8zczfyuxCcx/oulUE35ybgVq3o9ZYuMD6h7DJo6q+1iys1HX9YFqCJiSag==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID6zCCAtOgAwIBAgIUQiPqrlxXdGXbuGCs5b8VAUMpAygwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxEjAQBgNVBAcMCXNpbmdhcG9yZTEMMAoGA1UECgwDREJTMQwwCgYDVQQLDANJVFQxEzARBgNVBAMMCm9wLWJhY2tlbmQxHDAaBgkqhkiG9w0BCQEWDW9wZGV2QGRicy5jb20wHhcNMjAwOTA3MDMwMTM0WhcNMjMxMjIxMDMwMTM0WjCBhDELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCXNpbmdhcG9yZTESMBAGA1UEBwwJc2luZ2Fwb3JlMQwwCgYDVQQKDANEQlMxDDAKBgNVBAsMA0lUVDETMBEGA1UEAwwKb3AtYmFja2VuZDEcMBoGCSqGSIb3DQEJARYNb3BkZXZAZGJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAf0/wm0mR19Inl3uwLBB2OBlmDc4W8DoschxdS0FnBDbQFteIJmqsxivylBER9XgN8HICgj7pM2Xd0o93sxSWsd2JdKbLUyBlpC1ElaptgHQYsnncFxlFA6BrWhoSf13KUgpxg+MmtnFhr+5Zab12Yavhm71jcJMsACK1DyWXRxLa+xmODW05e22M6c69m53824sfoQKe/0LA+r1KxeAOtIDTEAzwkdWnw3e9JGcXEE3dzPF2d89dgY2ZTNRYUe3hTyUk6WiIIfcyPivBPqQcZJsMK+jnJ353VhrDkmeVcR193mvVhsW7hit4mwIw+XrCFTSJB+VwSweHQtBaWvECAwEAAaNTMFEwHQYDVR0OBBYEFHlg0nvPdRLB2y9m5NusFtD/wTkdMB8GA1UdIwQYMBaAFHlg0nvPdRLB2y9m5NusFtD/wTkdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALtuqY85WuIQ96mVtyt5BzYGdEi55WxXxgK8bLweZ/t+JbfjQleoCk/2zRWZ64aax/kBFMe+MJUWe8agZsIR8QBDdiGY9VBjW0iNGlW98qhQmR6NxDJSh7KxvGZ2kLvsAQxp72JZBJL1Lae4WDXzRoyeKuobRzggjQf8QkKKcMqeOLNpEBK6uAb+mgouodiqjgGt+dFgFcX7vC8lAVq2UBJZ0JZempGkAI8ysGy9qosDpEuHdUMpKEqxiRPd+So8gMqdl+ysIk+4xers9fGDOi/0ohttOlMenMAUXiiD7I9Tm1ranioc64pctZsDtewyiMo/QWZvcJfICueW3t5W7vc=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>

Here is my config.yaml

artifact-service-path: /SAML2/SOAP/ArtifactResolution
attribute-service-path: /SAML2/SOAP/AttributeQuery
cookie-name: lite-idp-sess
digest-algorithm: http://www.w3.org/2001/04/xmlenc#sha256
ecp-service-path: /SAML2/SOAP/ECP
listen-address: 127.0.0.1:9443
metadata-path: /metadata
redis:
  address: 127.0.0.1:6379
  password: ""
saml-attribute-name-format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
server-name: 127.0.0.1:9443
signature-algorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
sps:
- entityid: http://localhost:8000/saml/metadata
  assertionconsumerservices:
  - index: 1
    isdefault: false
    binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    location: http://localhost:8000/saml/acs
  certificate: MIID6zCCAtOgAwIBAgIUQiPqrlxXdGXbuGCs5b8VAUMpAygwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxEjAQBgNVBAcMCXNpbmdhcG9yZTEMMAoGA1UECgwDREJTMQwwCgYDVQQLDANJVFQxEzARBgNVBAMMCm9wLWJhY2tlbmQxHDAaBgkqhkiG9w0BCQEWDW9wZGV2QGRicy5jb20wHhcNMjAwOTA3MDMwMTM0WhcNMjMxMjIxMDMwMTM0WjCBhDELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCXNpbmdhcG9yZTESMBAGA1UEBwwJc2luZ2Fwb3JlMQwwCgYDVQQKDANEQlMxDDAKBgNVBAsMA0lUVDETMBEGA1UEAwwKb3AtYmFja2VuZDEcMBoGCSqGSIb3DQEJARYNb3BkZXZAZGJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAf0/wm0mR19Inl3uwLBB2OBlmDc4W8DoschxdS0FnBDbQFteIJmqsxivylBER9XgN8HICgj7pM2Xd0o93sxSWsd2JdKbLUyBlpC1ElaptgHQYsnncFxlFA6BrWhoSf13KUgpxg+MmtnFhr+5Zab12Yavhm71jcJMsACK1DyWXRxLa+xmODW05e22M6c69m53824sfoQKe/0LA+r1KxeAOtIDTEAzwkdWnw3e9JGcXEE3dzPF2d89dgY2ZTNRYUe3hTyUk6WiIIfcyPivBPqQcZJsMK+jnJ353VhrDkmeVcR193mvVhsW7hit4mwIw+XrCFTSJB+VwSweHQtBaWvECAwEAAaNTMFEwHQYDVR0OBBYEFHlg0nvPdRLB2y9m5NusFtD/wTkdMB8GA1UdIwQYMBaAFHlg0nvPdRLB2y9m5NusFtD/wTkdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALtuqY85WuIQ96mVtyt5BzYGdEi55WxXxgK8bLweZ/t+JbfjQleoCk/2zRWZ64aax/kBFMe+MJUWe8agZsIR8QBDdiGY9VBjW0iNGlW98qhQmR6NxDJSh7KxvGZ2kLvsAQxp72JZBJL1Lae4WDXzRoyeKuobRzggjQf8QkKKcMqeOLNpEBK6uAb+mgouodiqjgGt+dFgFcX7vC8lAVq2UBJZ0JZempGkAI8ysGy9qosDpEuHdUMpKEqxiRPd+So8gMqdl+ysIk+4xers9fGDOi/0ohttOlMenMAUXiiD7I9Tm1ranioc64pctZsDtewyiMo/QWZvcJfICueW3t5W7vc=
sso-service-path: /SAML2/Redirect/SSO
temp-cache-duration: 5m
tls-ca: idp\ca\ca.crt
tls-certificate: idp\certificate.pem.crt
tls-private-key: idp\mykey.pem
user-cache-duration: 8h
users:
- attributes:
    FirstName:
    - John
    FullName:
    - John Doe
    SurName:
    - Doe
  name: CN=John Doe, OU=lite-idp sample, O=autogenerated, L=the internet
- attributes:
    FirstName:
    - Aaron
    FullName:
    - Aaron Donovan
    SurName:
    - Donovan
  name: amdonov
  password: $2a$10$U41uarKrlduOofvJRC724.7V7RRZOciyC4TZ4UAQUtWuPuKVvByR.

Metadata file from sp

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-22T10:27:56.072Z" entityID="http://localhost:8000/saml/metadata">
  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-22T10:27:56.0717049Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
    <KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>MIID6zCCAtOgAwIBAgIUQiPqrlxXdGXbuGCs5b8VAUMpAygwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxEjAQBgNVBAcMCXNpbmdhcG9yZTEMMAoGA1UECgwDREJTMQwwCgYDVQQLDANJVFQxEzARBgNVBAMMCm9wLWJhY2tlbmQxHDAaBgkqhkiG9w0BCQEWDW9wZGV2QGRicy5jb20wHhcNMjAwOTA3MDMwMTM0WhcNMjMxMjIxMDMwMTM0WjCBhDELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCXNpbmdhcG9yZTESMBAGA1UEBwwJc2luZ2Fwb3JlMQwwCgYDVQQKDANEQlMxDDAKBgNVBAsMA0lUVDETMBEGA1UEAwwKb3AtYmFja2VuZDEcMBoGCSqGSIb3DQEJARYNb3BkZXZAZGJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAf0/wm0mR19Inl3uwLBB2OBlmDc4W8DoschxdS0FnBDbQFteIJmqsxivylBER9XgN8HICgj7pM2Xd0o93sxSWsd2JdKbLUyBlpC1ElaptgHQYsnncFxlFA6BrWhoSf13KUgpxg+MmtnFhr+5Zab12Yavhm71jcJMsACK1DyWXRxLa+xmODW05e22M6c69m53824sfoQKe/0LA+r1KxeAOtIDTEAzwkdWnw3e9JGcXEE3dzPF2d89dgY2ZTNRYUe3hTyUk6WiIIfcyPivBPqQcZJsMK+jnJ353VhrDkmeVcR193mvVhsW7hit4mwIw+XrCFTSJB+VwSweHQtBaWvECAwEAAaNTMFEwHQYDVR0OBBYEFHlg0nvPdRLB2y9m5NusFtD/wTkdMB8GA1UdIwQYMBaAFHlg0nvPdRLB2y9m5NusFtD/wTkdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALtuqY85WuIQ96mVtyt5BzYGdEi55WxXxgK8bLweZ/t+JbfjQleoCk/2zRWZ64aax/kBFMe+MJUWe8agZsIR8QBDdiGY9VBjW0iNGlW98qhQmR6NxDJSh7KxvGZ2kLvsAQxp72JZBJL1Lae4WDXzRoyeKuobRzggjQf8QkKKcMqeOLNpEBK6uAb+mgouodiqjgGt+dFgFcX7vC8lAVq2UBJZ0JZempGkAI8ysGy9qosDpEuHdUMpKEqxiRPd+So8gMqdl+ysIk+4xers9fGDOi/0ohttOlMenMAUXiiD7I9Tm1ranioc64pctZsDtewyiMo/QWZvcJfICueW3t5W7vc=</X509Certificate>
        </X509Data>
      </KeyInfo>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
    </KeyDescriptor>
    <KeyDescriptor use="signing">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>MIID6zCCAtOgAwIBAgIUQiPqrlxXdGXbuGCs5b8VAUMpAygwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxEjAQBgNVBAcMCXNpbmdhcG9yZTEMMAoGA1UECgwDREJTMQwwCgYDVQQLDANJVFQxEzARBgNVBAMMCm9wLWJhY2tlbmQxHDAaBgkqhkiG9w0BCQEWDW9wZGV2QGRicy5jb20wHhcNMjAwOTA3MDMwMTM0WhcNMjMxMjIxMDMwMTM0WjCBhDELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCXNpbmdhcG9yZTESMBAGA1UEBwwJc2luZ2Fwb3JlMQwwCgYDVQQKDANEQlMxDDAKBgNVBAsMA0lUVDETMBEGA1UEAwwKb3AtYmFja2VuZDEcMBoGCSqGSIb3DQEJARYNb3BkZXZAZGJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNAf0/wm0mR19Inl3uwLBB2OBlmDc4W8DoschxdS0FnBDbQFteIJmqsxivylBER9XgN8HICgj7pM2Xd0o93sxSWsd2JdKbLUyBlpC1ElaptgHQYsnncFxlFA6BrWhoSf13KUgpxg+MmtnFhr+5Zab12Yavhm71jcJMsACK1DyWXRxLa+xmODW05e22M6c69m53824sfoQKe/0LA+r1KxeAOtIDTEAzwkdWnw3e9JGcXEE3dzPF2d89dgY2ZTNRYUe3hTyUk6WiIIfcyPivBPqQcZJsMK+jnJ353VhrDkmeVcR193mvVhsW7hit4mwIw+XrCFTSJB+VwSweHQtBaWvECAwEAAaNTMFEwHQYDVR0OBBYEFHlg0nvPdRLB2y9m5NusFtD/wTkdMB8GA1UdIwQYMBaAFHlg0nvPdRLB2y9m5NusFtD/wTkdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALtuqY85WuIQ96mVtyt5BzYGdEi55WxXxgK8bLweZ/t+JbfjQleoCk/2zRWZ64aax/kBFMe+MJUWe8agZsIR8QBDdiGY9VBjW0iNGlW98qhQmR6NxDJSh7KxvGZ2kLvsAQxp72JZBJL1Lae4WDXzRoyeKuobRzggjQf8QkKKcMqeOLNpEBK6uAb+mgouodiqjgGt+dFgFcX7vC8lAVq2UBJZ0JZempGkAI8ysGy9qosDpEuHdUMpKEqxiRPd+So8gMqdl+ysIk+4xers9fGDOi/0ohttOlMenMAUXiiD7I9Tm1ranioc64pctZsDtewyiMo/QWZvcJfICueW3t5W7vc=</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/saml/slo" ResponseLocation="http://localhost:8000/saml/slo"></SingleLogoutService>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/saml/acs" index="1"></AssertionConsumerService>
  </SPSSODescriptor>
</EntityDescriptor>

Any idea on what's causing the problem?
@jlewallen
Copy link

Has anybody had any luck with this?

@yusrenaltair
Copy link

yusrenaltair commented Dec 31, 2021
edited

I'm facing exactly the same problem.
For Service Provider I'm using https://github.com/crewjam/saml package;
SSL Certificate on both side using Sectigo that support SSL SHA-256 ECDSA Algorithm. I'm sure this is the cause. Like the note "ECDSA certificates cannot currently be used for signing". Has ECDSA not been supported until now?
https://pkg.go.dev/crypto/ecdsa. is this package able to do the ECDSA sign process?
Thanks in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jlewallen @last61474 @yusrenaltair