SAML Response Block Not Aunthenticating
Article ID: 191570
Updated On:
Products
Issue/Introduction
SAML Response showing the following error:
WARNING com.l7tech.external.assertions.validatenonsoapsaml.server.ServerValidateNonSoapSamlTokenAssertion : 5552: Signature confirmation failed: Unable to verify signature of SAML
assertion: Validity not achieved. Signature not valid. null#012#011Element #id2580803694653514837643688: Digest value mismatch: calculated: PP36jf8ErwfWfR93zkuHbbqH4LR3Ib7Fw8QVSW95qBg=
Environment
Release : 9.2
Component : API GATEWAY
Cause
InclusiveNamespaces is the problem. When gateway tries to reconstruct message using library, it does not add namespace back in signed element, causing digest value to mismatch.
defect DE334566
Resolution
Customer wanted to use XPath assertion to drop additional xml nodes from saml message before sending it for validation. But XPath Assertion dropped namespaces, so it was better to use XSLT transform for to drop additional nodes.
Provided a sample policy with XSLT
Additional Information
Works
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> </ds:Transform></ds:Transforms>
Fails:
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs">
</ec:InclusiveNamespaces></ds:Transform></ds:Transforms>
XPath assertion while storing DOM structure in context variable converted to string using exclusive canonicalize, which dropped namespaces from
Attachments
Feedback
