Help with debugging Invalid SSO Response error

Discussion in 'LiquidFiles General' started by Tanner Hong, Sep 28, 2018.

  1. Tanner Hong

    Tanner Hong New Member

    Joined:
    Sep 28, 2018
    Messages:
    8
    Likes Received:
    0
    We are configuring LiquidFiles for the first time, and are trying to configure the authentication settings to allow for Single Sign-on. This is not the first SSO that I have set up, but this is the first time that I have received this error and I am not sure how to go about solving it. Message that pops up after successfully authenticating against our identity provider is: Invalid SSO Response: Invalid Signature on SAML Response. We are using a SHA1 certificate, and the fingerprint that I have entered is correct. What could be the root cause of this issue? Is this a common problem or rarely seen? I can provide more information if asked to.
     
  2. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    683
    Likes Received:
    15
    Please ensure:
    • You have fingerprint of the proper signing certificate on your IdP
    • Common issue is as well, that LF appliance is offering the identifier in the this format: https://lf.domain.com/ but IdP is expecting now https://lf.domain.com, in this case please add the trailing slash "/" in to the identifier in your IdP configuration, so it looks like: https://lf.domain.com/
    • On the LF server check if the Signature algorithm option is set to SHA-1 in the LF's "Admin > Configuration > SSO" settings. By default there is selected SHA-256.
     
  3. Tanner Hong

    Tanner Hong New Member

    Joined:
    Sep 28, 2018
    Messages:
    8
    Likes Received:
    0
    Hi David,

    You can see here (https://account-dev.illinoisstate.edu/oamfed/idp/metadata) that the metadata we are using has a X509 certificate, and the fingerprint to that certificate should be 5E:E2:24:51:1A:E0:B6:25:4A:2B:E4:4D:F2:46:03:B9:93:B3:F4:A1.
    In my IdP settings I took the metadata that LF offers, so the URL that our side is trying to reach is indeed already in the correct format with the trailing "/"
    I have made sure to select SHA-1 as the Signature Algorithm, which still does not work.

    Is there any additional information that I can provide you with that can help my situation?

    Thank you
     
  4. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    683
    Likes Received:
    15
    Debug SAML logs on the LF server you can find in "Admin > Activity logs | debug | application".
     
  5. Tanner Hong

    Tanner Hong New Member

    Joined:
    Sep 28, 2018
    Messages:
    8
    Likes Received:
    0
    Hi David,

    Would you be able to help me debug to some extent? I have attached a file with my errors and debug information

    Thank you
     

    Attached Files:

  6. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    683
    Likes Received:
    15
    According to logs seems you have changed the fingerprint algorithm to SHA-256, which is ok.
    The format of the reply from the IdP server looks correctly. I think you have calculated wrongly the fingerprint of the the X.509 certificate.
    If I take the certificate from the metadata file under <dsig:Signature> --> <dsig:X509Certificate>, I got fingerprints like this:

    Code:
    SHA1 Fingerprint=A5:08:9A:0F:F8:0E:A5:FD:39:29:54:C0:E0:C3:47:3D:B0:53:1D:96
    SHA256 Fingerprint=
    92:1F:61:99:7A:D3:DF:0F:4E:51:F3:48:80:BA:FF:17:97:E3:E8:83:1F:7E:A7:C9:A0:96:93:5F:8E:62:30:CB                 
    
     
  7. Tanner Hong

    Tanner Hong New Member

    Joined:
    Sep 28, 2018
    Messages:
    8
    Likes Received:
    0
    Hi David,

    My apologizes, it looks like I changed the environment that LF was using between the time I last posted that metadata link, and the time of my debug log. If you look at our test metadata, then you should be able to see that the fingerprint matches the one within the debug file. Previously you were looking at our development metadata. And I have tried both SHA-1 and SHA-256 fingerprints from the test X509 cert with no luck.

    Thank you
     
  8. Tanner Hong

    Tanner Hong New Member

    Joined:
    Sep 28, 2018
    Messages:
    8
    Likes Received:
    0

    Actually, if you go and look at the fingerprint from the logs and compare it to the metadata, it is going to be different since I just updated and changed the X509 cert. These are the fingerprints that I have tried to use now with still no luck
    SHA-1: 7d:22:1f:23:76:cb:31:a9:12:ba:06:39:df:db:ce:74:4a:c6:8c:e3
    SHA-256: 98:0F:82:46:1E:A3:9A:1F:F9:41:CE:5F:A8:59:4F:CE:91:5F:80:F2:32:0A:44:CE:9E:98:96:5E:77:E3:A3:6E

    Here is what the log output looks like in reference to the fingerprint
    @idp_cert_fingerprint="7d:22:1f:23:76:cb:31:a9:12:ba:06:39:df:db:ce:74:4a:c6:8c:e3"
     
    #8 Tanner Hong, Oct 2, 2018
    Last edited: Oct 2, 2018
  9. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    683
    Likes Received:
    15
    For that other IdP the fingreprints are correct.

    If I sum it up, on the LF server you should have in the "Admin > Configuration > SSO" this settings:

    IdP Login URL: https://account-test.illinoisstate.edu/oamfed/idp/samlv20
    IdP Cert Fingerprint: 98:0F:82:46:1E:A3:9A:1F:F9:41:CE:5F:A8:59:4F:CE:91:5F:80:F2:32:0A:44:CE:9E:98:96:5E:77:E3:A3:6E
    Name Identifier Format:
    Code:
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Authn Context:
    Code:
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    Signature Algorithm: SHA-256
    Auth Comparison: Minimum

    On the IdP should be something like this:

    LiquidFiles SAML Login URL: https://atliquidfiles01-t.at.illinoisstate.edu/saml/init
    LiquidFiles SAML Consumer URL is: https://atliquidfiles01-t.at.illinoisstate.edu/saml/consume
    SAML audience/identifier: https://atliquidfiles01-t.at.illinoisstate.edu/

    Please ensure the SAML NameID is set to user's "Email" address.

    From the authentication methods the IdP should offer to the LF server at least PasswordProtectedTransport.

    btw LF hostname in the logs really should look like this: atliquidfiles01-t.at.illinoisstate.edu?
     
  10. Tanner Hong

    Tanner Hong New Member

    Joined:
    Sep 28, 2018
    Messages:
    8
    Likes Received:
    0
    Correct, everything you posted above is what I have entered in the fields of both LF SSO configuration, and my IdP configuration. I'm not sure if this error truly is a problem with the fingerprint, since it all seems to be correct. I've attached screenshots of what my current configuration looks like. I have it configured to use SHA-1 right now, but I have tried SHA-256 as well. I have also attached an image of what my IdP configuration looks like. I've done a straight upload of the metadata from LF, so you won't be able to see the links that are configured, but they are the same as you have stated above.
     

    Attached Files:

  11. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    683
    Likes Received:
    15
    Have you tried to enter the Service details manually? Which IdP service do you use?
     
  12. Tanner Hong

    Tanner Hong New Member

    Joined:
    Sep 28, 2018
    Messages:
    8
    Likes Received:
    0
    Yes, but manual entry did not seem to produce any other results than the ones we have been seeing. We are using Oracle Access Manager 12c. We haven't encountered this issue with any other SPs before.
     
  13. Tanner Hong

    Tanner Hong New Member

    Joined:
    Sep 28, 2018
    Messages:
    8
    Likes Received:
    0
    I figured it out, here is what I did for future reference.
    We are using Oracle Access Manager (OAM) version 12c. I am not sure if this is by default, but the x509 digital certificate was not being sent by default over federation exchanges. The SAML response did not have a signed assertion. The SAML response was missing the X509Certificate attribute. The following command was ran in WLST (Oracle's WebLogic Script Tool) to force the SAML response to have a signed assertion:

    updatePartnerProperty("Liquid_files_test", "sp", "includecertinsignature", "true", "boolean")
     

Share This Page