We are configuring LiquidFiles for the first time, and are trying to configure the authentication settings to allow for Single Sign-on. This is not the first SSO that I have set up, but this is the first time that I have received this error and I am not sure how to go about solving it. Message that pops up after successfully authenticating against our identity provider is: Invalid SSO Response: Invalid Signature on SAML Response. We are using a SHA1 certificate, and the fingerprint that I have entered is correct. What could be the root cause of this issue? Is this a common problem or rarely seen? I can provide more information if asked to.
Please ensure: You have fingerprint of the proper signing certificate on your IdP Common issue is as well, that LF appliance is offering the identifier in the this format: https://lf.domain.com/ but IdP is expecting now https://lf.domain.com, in this case please add the trailing slash "/" in to the identifier in your IdP configuration, so it looks like: https://lf.domain.com/ On the LF server check if the Signature algorithm option is set to SHA-1 in the LF's "Admin > Configuration > SSO" settings. By default there is selected SHA-256.
Hi David, You can see here (https://account-dev.illinoisstate.edu/oamfed/idp/metadata) that the metadata we are using has a X509 certificate, and the fingerprint to that certificate should be 5E:E2:24:51:1A:E0:B6:25:4A:2B:E4:4D:F2:46:03:B9:93:B3:F4:A1. In my IdP settings I took the metadata that LF offers, so the URL that our side is trying to reach is indeed already in the correct format with the trailing "/" I have made sure to select SHA-1 as the Signature Algorithm, which still does not work. Is there any additional information that I can provide you with that can help my situation? Thank you
Hi David, Would you be able to help me debug to some extent? I have attached a file with my errors and debug information Thank you
According to logs seems you have changed the fingerprint algorithm to SHA-256, which is ok. The format of the reply from the IdP server looks correctly. I think you have calculated wrongly the fingerprint of the the X.509 certificate. If I take the certificate from the metadata file under <dsig:Signature> --> <dsig:X509Certificate>, I got fingerprints like this: Code: SHA1 Fingerprint=A5:08:9A:0F:F8:0E:A5:FD:39:29:54:C0:E0:C3:47:3D:B0:53:1D:96 SHA256 Fingerprint= 92:1F:61:99:7A:D3:DF:0F:4E:51:F3:48:80:BA:FF:17:97:E3:E8:83:1F:7E:A7:C9:A0:96:93:5F:8E:62:30:CB
Hi David, My apologizes, it looks like I changed the environment that LF was using between the time I last posted that metadata link, and the time of my debug log. If you look at our test metadata, then you should be able to see that the fingerprint matches the one within the debug file. Previously you were looking at our development metadata. And I have tried both SHA-1 and SHA-256 fingerprints from the test X509 cert with no luck. Thank you
Actually, if you go and look at the fingerprint from the logs and compare it to the metadata, it is going to be different since I just updated and changed the X509 cert. These are the fingerprints that I have tried to use now with still no luck SHA-1: 7d:22:1f:23:76:cb:31:a9:12:ba:06:39:df:db:ce:74:4a:c6:8c:e3 SHA-256: 98:0F:82:46:1E:A3:9A:1F:F9:41:CE:5F:A8:59:4F:CE:91:5F:80:F2:32:0A:44:CE:9E:98:96:5E:77:E3:A3:6E Here is what the log output looks like in reference to the fingerprint @idp_cert_fingerprint="7d:22:1f:23:76:cb:31:a9:12:ba:06:39:df:db:ce:74:4a:c6:8c:e3"
For that other IdP the fingreprints are correct. If I sum it up, on the LF server you should have in the "Admin > Configuration > SSO" this settings: IdP Login URL: https://account-test.illinoisstate.edu/oamfed/idp/samlv20 IdP Cert Fingerprint: 98:0F:82:46:1E:A3:9A:1F:F9:41:CE:5F:A8:59:4F:CE:91:5F:80:F2:32:0A:44:CE:9E:98:96:5E:77:E3:A3:6E Name Identifier Format: Code: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress Authn Context: Code: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Signature Algorithm: SHA-256 Auth Comparison: Minimum On the IdP should be something like this: LiquidFiles SAML Login URL: https://atliquidfiles01-t.at.illinoisstate.edu/saml/init LiquidFiles SAML Consumer URL is: https://atliquidfiles01-t.at.illinoisstate.edu/saml/consume SAML audience/identifier: https://atliquidfiles01-t.at.illinoisstate.edu/ Please ensure the SAML NameID is set to user's "Email" address. From the authentication methods the IdP should offer to the LF server at least PasswordProtectedTransport. btw LF hostname in the logs really should look like this: atliquidfiles01-t.at.illinoisstate.edu?
Correct, everything you posted above is what I have entered in the fields of both LF SSO configuration, and my IdP configuration. I'm not sure if this error truly is a problem with the fingerprint, since it all seems to be correct. I've attached screenshots of what my current configuration looks like. I have it configured to use SHA-1 right now, but I have tried SHA-256 as well. I have also attached an image of what my IdP configuration looks like. I've done a straight upload of the metadata from LF, so you won't be able to see the links that are configured, but they are the same as you have stated above.
Yes, but manual entry did not seem to produce any other results than the ones we have been seeing. We are using Oracle Access Manager 12c. We haven't encountered this issue with any other SPs before.
I figured it out, here is what I did for future reference. We are using Oracle Access Manager (OAM) version 12c. I am not sure if this is by default, but the x509 digital certificate was not being sent by default over federation exchanges. The SAML response did not have a signed assertion. The SAML response was missing the X509Certificate attribute. The following command was ran in WLST (Oracle's WebLogic Script Tool) to force the SAML response to have a signed assertion: updatePartnerProperty("Liquid_files_test", "sp", "includecertinsignature", "true", "boolean")