CB Response: SAML / SSO auth failure after upgrading to 6.2.2 and higher
search cancel

CB Response: SAML / SSO auth failure after upgrading to 6.2.2 and higher

book

Article ID: 292227

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • SAML Assertion isn't getting processed correctly
  • Error in /var/log/cb/coreservices/debug.log 
    • <err>  saml2.entity - Signature Error: Signature missing for response
<err>  saml2.client_base - XML parse error: Signature missing for response
<err>  cb.flask.blueprints.api_routes_saml - SSO assertion auth failure
Traceback (most recent call last):
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/cb/flask/blueprints/api_routes_saml.py", line 543, in saml_assertion
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/cb/flask/blueprints/api_routes_saml.py", line 187, in handle_assertion
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/saml2/client_base.py", line 702, in parse_authn_request_response
    binding, **kwargs)
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/saml2/entity.py", line 1142, in _parse_response
    response = response.loads(xmlstr, False, origxml=origxml)
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/saml2/response.py", line 512, in loads
    self._loads(xmldata, decode, origxml)
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/saml2/response.py", line 337, in _loads
    **args)
  File "/usr/share/cb/virtualenv/lib/python2.7/site-packages/saml2/sigver.py", line 1647, in correctly_signed_response
    raise SignatureError('Signature missing for response')
SignatureError: Signature missing for response

       

Environment

  • CB Response Server: 6.2.2 and Higher
  • SAML/SSO

Cause

IdP (Identity Provider) is not configured to sign responses. In previous versions of Cb Response server (6.2.1 and lower), there was a flag called "want_response_signed" which was defaulted to false.

Resolution

  • Configuring the IdP to sign responses will resolve this issue (not covered in this KB)
  • If the IdP is not signing responses
    1. Edit /etc/cb/sso/sso.conf
    2. Set the flag to false to allow continued functioning of SSO with 6.2.2. The setting will be added between "sp" and "idp" 
      • "service": {
  "sp": {
     "want_response_signed": false,
     "idp": {
  1. Restart services 

Additional Information

  • Configuring the IdP to sign responses is most secure option to prevent impersonation of the IdP
  • By default signed responses were set to false. Before 6.2.2, anyone who did NOT have IdP configured to sign responses would still have successful SAML assertions since the system wasn't expecting it.
Powered by Wolken Software