Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting "SAML Assertion signature is invalid" after adding a new SAML identity provider #6201

Open
3 tasks done
ap-h opened this issue Jun 15, 2024 · 2 comments
Open
3 tasks done

Getting "SAML Assertion signature is invalid" after adding a new SAML identity provider #6201

ap-h opened this issue Jun 15, 2024 · 2 comments
Assignees
@aBurmeseDev
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@ap-h
Copy link

ap-h commented Jun 15, 2024

Checkboxes for prior research

Describe the bug

Hi, when we add a new SAML identity provider to cognito user pool client and user try to login via application UI we get this error (added to the callback url): https://callback.url/?error_description=Invalid+SAML+response+received%3A+SAML+Assertion+signature+is+invalid.+&error=server_error

Decoded error: Error: Invalid SAML response received: SAML Assertion signature is invalid.

But when we go to the AWS console > cognito user pool > App integration > App client > Click client > Edit Hosted UI > Just save without changes then it works fine.

The code we use to create SAML identity provider and add it to the client:

async createSamlIdentityProvider() {
  this.cognitoIdentityProvider = new CognitoIdentityProvider()

  const createIdentityProviderParams = {
    UserPoolId: 'UserPoolId',
    ProviderName: 'providerName',
    ProviderType: IdentityProviderTypeType.SAML,
    ProviderDetails: {
      MetadataFile: '...',
    },
    AttributeMapping: { email },
  }

  const command = new CreateIdentityProviderCommand(createIdentityProviderParams)
  await this.cognitoIdentityProvider.send(command)

  const describeCommand = new DescribeUserPoolClientCommand({
    UserPoolId: 'UserPoolId',
    ClientId: 'UserPoolClientId',
  })
  const clientDetail = await this.cognitoIdentityProvider.send(describeCommand)

  const providerNames = clientDetail?.UserPoolClient?.SupportedIdentityProviders?.concat('providerName')

  const updateUserPoolClientCommand = new UpdateUserPoolClientCommand({
    UserPoolId: 'UserPoolId',
    ClientId: 'UserPoolClientId',
    SupportedIdentityProviders: providerNames,
    ...
  })

  await this.cognitoIdentityProvider.send(updateUserPoolClientCommand)
}

This is the CDK code how we create user pool and client:

this.pool = new cognito.UserPool(scope, 'user-pool', {
  autoVerify: { email: true },
  mfa: cognito.Mfa.OPTIONAL,
  mfaSecondFactor: { sms: false, otp: true },
  signInAliases: { email: true },
  standardAttributes: { email: { required: true, mutable: true } },
  userPoolName: 'user-pool',
})

this.client = new cognito.UserPoolClient(scope, 'user-pool-client', {
  generateSecret: false,
  authFlows: {
    userPassword: true,
    userSrp: true,
    adminUserPassword: true,
    custom: true,
  },
  preventUserExistenceErrors: true,
  oAuth: {
    callbackUrls: callbackUrls,
    flows: { authorizationCodeGrant: true, implicitCodeGrant: true },
    logoutUrls: logoutUrls,
    scopes: [OPENID, EMAIL, PROFILE, PHONE, COGNITO_ADMIN],
  },
  userPool: this.pool,
  userPoolClientName: 'user-pool-client',
})

this.domain = new cognito.UserPoolDomain(scope, 'domain', {
  cognitoDomain: { domainPrefix: '...' },
  userPool: this.pool,
})

SDK version number

@aws-sdk/client-cognito-identity-provider@3.583.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node 18

Reproduction Steps

Please use the code in the description to reproduce it.

Observed Behavior

Getting this error in UI after redirected from Azure login: Error: Invalid SAML response received: SAML Assertion signature is invalid.
This is logged in console by amplify but also I can se the error added to the callback url.

Expected Behavior

No error

Possible Solution

Currently the workaround is to manually go to AWS cognito console and just Edit > Save the hosted UI of the user pool client without any changes.

Additional Information/Context

No response
@ap-h ap-h added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 15, 2024
@aBurmeseDev aBurmeseDev self-assigned this Jun 18, 2024
@aBurmeseDev
Copy link
Member

Hi @ap-h - thanks for reaching out.

This sounds like it's more of SAML related issue rather than AWS SDK. I'm able to run the SDK code that you shared successfully. Upon doing some research on the error, the culprit might be the metadata mismatch between SAML response and Cognito User Pool metadata. It could also be SAML attribute mapping. Is there a way for you to compare successful and failed SAML assertions?

I'm not sure what your workflow setup looks like but I'd be happy to duplicate similar setup and try to reproduce it on my end, if you can share step-by-step repro.

Here are some resources that might be useful:

Hope it helps!

@aBurmeseDev aBurmeseDev added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jun 19, 2024
@ap-h
Copy link
Author

ap-h commented Jun 19, 2024
edited
Loading

Hi @aBurmeseDev thank you for getting back to me and share the links!

The SDK and CDK codes work fine, but we get the error when we test SSO login in UI. We get the following error: SAML Assertion signature is invalid
However if we just submit the Hosted UI without changes then it works. This is the confusing part.

When I search "SAML Assertion signature is invalid" in Google it just returns 8 results that are totally unrelated. I checked all links you shared but they are different error messages, am I missing something?

Sorry I'm not sure what you mean by: compare successful and failed SAML assertions
Happy to provide the details you want if you can tell me what I need to do.

This is an example SAML file we use (masked values):

SAML file: 

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_5dcbb69d-a927-4aa9-abfa-xxx"
                  entityID="https://sts.windows.net/78fc3e7b-3a69-4a24-b243-xxx/"
                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_5dcbb69d-a927-4aa9-abfa-xxx">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>LjED5k8EutKYrP+xxx/lP4=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            JSBTIrYoHFz1zrPR5OmCxOdxzrIF80zoQ275ogKN0HEgaswPHGxZ3im566xJ95aABHdRQifOLMkViYABYRIN4+xxx==
        </SignatureValue>
        <KeyInfo>
            <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Certificate>
                    MIIC8DCCAdigAwIBAgIQSTxxx
                </ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </Signature>
    <RoleDescriptor xsi:type="fed:SecurityTokenServiceType"
                    protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>
                        MIIC8DCCAdigAwIBAgIQSTTRchxxx
                    </X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <fed:ClaimTypesOffered>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Name</auth:DisplayName>
                <auth:Description>The mutable display name of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject</auth:DisplayName>
                <auth:Description>An immutable, globally unique, non-reusable identifier of the user that is unique to
                    the application for which a token is issued.
                </auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Given Name</auth:DisplayName>
                <auth:Description>First name of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Surname</auth:DisplayName>
                <auth:Description>Last name of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/identity/claims/displayname"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Display Name</auth:DisplayName>
                <auth:Description>Display name of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/identity/claims/nickname"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Nick Name</auth:DisplayName>
                <auth:Description>Nick name of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authentication Instant</auth:DisplayName>
                <auth:Description>The time (UTC) when the user is authenticated to Windows Azure Active Directory.
                </auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authentication Method</auth:DisplayName>
                <auth:Description>The method that Windows Azure Active Directory uses to authenticate users.
                </auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/identity/claims/objectidentifier"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>ObjectIdentifier</auth:DisplayName>
                <auth:Description>Primary identifier for the user in the directory. Immutable, globally unique,
                    non-reusable.
                </auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/identity/claims/tenantid"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>TenantId</auth:DisplayName>
                <auth:Description>Identifier for the user's tenant.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/identity/claims/identityprovider"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>IdentityProvider</auth:DisplayName>
                <auth:Description>Identity provider for the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Email</auth:DisplayName>
                <auth:Description>Email address of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Groups</auth:DisplayName>
                <auth:Description>Groups of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/identity/claims/accesstoken"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>External Access Token</auth:DisplayName>
                <auth:Description>Access token issued by external identity provider.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>External Access Token Expiration</auth:DisplayName>
                <auth:Description>UTC expiration time of access token issued by external identity provider.
                </auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/identity/claims/openid2_id"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>External OpenID 2.0 Identifier</auth:DisplayName>
                <auth:Description>OpenID 2.0 identifier issued by external identity provider.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/claims/groups.link"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>GroupsOverageClaim</auth:DisplayName>
                <auth:Description>Issued when number of user's group claims exceeds return limit.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Role Claim</auth:DisplayName>
                <auth:Description>Roles that the user or Service Principal is attached to</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids"
                            xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>RoleTemplate Id Claim</auth:DisplayName>
                <auth:Description>Role template id of the Built-in Directory Roles that the user is a member of
                </auth:Description>
            </auth:ClaimType>
        </fed:ClaimTypesOffered>
        <fed:SecurityTokenServiceEndpoint>
            <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:Address>https://login.microsoftonline.com/78fc3e7b-3a69-4a24-b243-571ff1d015e4/wsfed</wsa:Address>
            </wsa:EndpointReference>
        </fed:SecurityTokenServiceEndpoint>
        <fed:PassiveRequestorEndpoint>
            <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:Address>https://login.microsoftonline.com/78fc3e7b-3a69-4a24-b243-571ff1d015e4/wsfed</wsa:Address>
            </wsa:EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
    <RoleDescriptor xsi:type="fed:ApplicationServiceType"
                    protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>
                        MIIC8DCCAdigAwIBAgIQSxxx
                    </X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <fed:TargetScopes>
            <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:Address>https://sts.windows.net/78fc3e7b-3a69-4a24-b243-xxx/</wsa:Address>
            </wsa:EndpointReference>
        </fed:TargetScopes>
        <fed:ApplicationServiceEndpoint>
            <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:Address>https://login.microsoftonline.com/78fc3e7b-3a69-4a24-b243-xxx/wsfed</wsa:Address>
            </wsa:EndpointReference>
        </fed:ApplicationServiceEndpoint>
        <fed:PassiveRequestorEndpoint>
            <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:Address>https://login.microsoftonline.com/78fc3e7b-3a69-4a24-b243-xxx/wsfed</wsa:Address>
            </wsa:EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>
                        MIIC8DCCAdigAwIBAgIQSTTRchOUiYRxxx
                    </X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                             Location="https://login.microsoftonline.com/78fc3e7b-3a69-4a24-b243-xxx/saml2"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                             Location="https://login.microsoftonline.com/78fc3e7b-3a69-4a24-b243-xxx/saml2"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="https://login.microsoftonline.com/78fc3e7b-3a69-4a24-b243-xxx/saml2"/>
    </IDPSSODescriptor>
</EntityDescriptor>

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aBurmeseDev aBurmeseDev

Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aBurmeseDev @ap-h