SAML / SSO Login Failure due to Signature Auth Failure
search cancel

SAML / SSO Login Failure due to Signature Auth Failure

book

Article ID: 292227

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • SAML Assertion isn't getting processed correctly.
  • Error in /var/log/cb/coreservices/debug.log 
    • <err>  saml2.entity - Signature Error: Signature missing for response
<err>  saml2.client_base - XML parse error: Signature missing for response
<err>  cb.flask.blueprints.api_routes_saml - SSO assertion auth failure
Traceback (most recent call last):
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/cb/flask/blueprints/api_routes_saml.py", line 560, in saml_assertion
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/cb/flask/blueprints/api_routes_saml.py", line 197, in handle_assertion
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/saml2/client_base.py", line 831, in parse_authn_request_response
    binding, **kwargs)
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/saml2/entity.py", line 1504, in _parse_response
    response = response.loads(xmlstr, False, origxml=origxml)
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/saml2/response.py", line 528, in loads
    self._loads(xmldata, decode, origxml)
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/saml2/response.py", line 344, in _loads
    **args)
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/saml2/sigver.py", line 1758, in correctly_signed_response
    raise SignatureError('Signature missing for response')
SignatureError: Signature missing for response

       

Environment

  • Carbon Black EDR Server: 6.2.2 and Higher
  • SAML/SSO

Cause

IdP (Identity Provider) is not configured to sign responses. 

Resolution

  • Configuring the IdP to sign responses will resolve this issue.
    • For ADFS the following Powershell command can enable response signatures based on your "Relying Party Trust" used for the SSO configuration with EDR. 
      Set-AdfsRelayingPartyTrust -targetname "ADFS Relying Party Trust Name Here" -SamlResponseSignatures MessageAndAssertion
    • For other IDP's, refer to their individual documentation. 
  • If the IdP is not signing responses
    1. Edit /etc/cb/sso/sso.conf
    2. Set the flag to false to allow the successful login. The setting will be added between "sp" and "idp" 
      • "service": {
  "sp": {
     "want_response_signed": false,
     "idp": {
  1. Restart services 

Additional Information

  • Configuring the IdP to sign responses is most secure option to prevent impersonation of the IdP
  • In server versions 6.2.2 and higher the /etc/cb/sso/sso.conf line "want_response_signed"  defaults to true. 
Powered by Wolken Software