问题
We are trying to setup a custom SAML integration with the Cisco WebEx. However WebEx SP keeps complaining about the "Invalid digital signature" after the SAML Response is sent to WebEx.
We have already inspected the SAML Response, Signing Cert, and the Fiddler trace of the SAML transaction. Nothing seems out of ordinary. We have done this for several other services and have not run into any issues.
Is there a good tool that can help us debug as to why WebEx is thinking the Digital Signature is invalid?
回答1:
There are a few reasons why a digital signature might be seen as invalid.
Altered Document: Ensure that the document you are signing is not in any way altered after it is signed. Even the addition of a whitespace character will invalidate the signature.
Character Encoding:
If your document contains unicode charaters, ensure that you have the correct encoding specified. Most SAML documents are expected to be encoded in UTF8 like so: <?xml version="1.0" encoding="utf-8"?>
Wrong Element Signed: A SAML document containing an Assertion is usually expected to have a signature on the Assertion itself, and not necessarily on the entire document.
Incorrect Certificate: Ensure that the certificate you've given the authority is a match with the key you are signing. Some implementations will have you include the certificate in the document, where others might require you to predefine the certificate. If the one in your document does not match the one they have on file, the signature will not be seen as valid. Are you signing with an SSL certificate? Did you recently update it?
Ultimately you should test the document yourself. Many SAML libraries will have a mechanism for validating a signature. Does yours appear valid to your library? Failing that, you can use something like xmlsec1 to manually validate your document with your certificate. This is likely what your library is using to encrypt, and likely what the authority is using to validate.
Using XMLSec:
Given a certificate called cert.pem
and a SAML Response XML document called doc.xml
you would validate it like so:
$ xmlsec1 --verify --pubkey-cert-pem cert.pem --id-attr:ID Response doc.xml
OK
SignedInfo References (ok/all): 1/1
You may need to alter the --id-attr
value to match the ID attribute of your document. You are looking for output similar to the above to inform you that your document's signature is valid with the provided certificate.
回答2:
Check that you're signing the Assertion element, not the toplevel Response element.
来源:https://stackoverflow.com/questions/28015152/saml-sp-complaining-invalid-digital-signature