Security

Verification of SAML assertion using the IDP's certificate provided failed. Error: failed to verify signature with cert

lguplusIdaas
New Member

my SAML Response to Splunk.

 

<?xml version="1.0" encoding="UTF-8" standalone="no"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://RTNB336:8000/saml/acs" ID="_4c16f9be1c813c774f2f9111fd5602f6" InResponseTo="RTNB336.21.0882C4AC-681F-4648-AD0F-FDD9F4BE114B" IssueInstant="2024-06-20T01:56:14.199Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://hive.dreamidaas.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_4c16f9be1c813c774f2f9111fd5602f6"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Wjlp0IBLeluYep7QMphL/ZBkVsDqxbrFcgSDFiFxQBo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Y0Lp7OR2BWIie+F60hJUhNdOLKhWlXnjLyD0Y7Ut1lPIYfL9uoClcQA98Ge961M7FjrC/uDA8yxGYKvApU4VOYzy7kLM0wbxFKUVXAuPAl5of0WWrMV8QMSWfCq8/ensPzlzsqg84tf86UgMZ2PodD6WOM9SIIW+izBPOP3emuv2c+UrvR2eyp1s+ItWn0AUB+0R0l+iqd+sNE/Gb+l9THlJYm68yLr2DY0nT66dOLKS3Q3jnMox6xrzsSnwaF6+H+dSnvd5YeBIMyjTC1bF6GjQpdudTNz8162TvtJjvAcTUOwhUmLyY4ytTvL+lHKOsDh57wZenvB4gVYzoF6T+A==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtDCCApygAwIBAgIKJxHdhEoMRRD/JjANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJLUjEW
MBQGA1UECgwNRHJlYW1TZWN1cml0eTEMMAoGA1UECwwDU1NPMQ0wCwYDVQQDDARST09UMB4XDTIy
MDIyMzIzNTY1NFoXDTMyMDIyMzIzNTY1NFowTzELMAkGA1UEBhMCS1IxFjAUBgNVBAoMDURyZWFt
U2VjdXJpdHkxDDAKBgNVBAsMA1NTTzEaMBgGA1UEAwwRTUFHSUNfU1NPX0lEUF9TaWcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGEA5RIOlCH/xJX5qnAQRixJfuUhv2dBoGyCjO1qbJ
GuJh6lCF7mwsJbS+PStFrFvXBrfFt8S2QU7hndK5aj3f83IJiiv6y+a26/4xNf19sp6AtafAmWr9
kkI5AH51/9l8ypzf67OAUfrJxFPW6ZKgWiGp5yjrensl1IKxwP0joxUQXISI+epu07XpdWF2SJQ7
rVRNPZUP6sA+lNQsFDznN7moWFcU+UyrTJHDkgj/2qw4QvucNBY7Hj/bC/6KX1d0XSKfvQCfI4gu
Gd/4FL1ApnyTvZ/tnbcbl420NWbKgtn19Q4ZIqhj10ruTzVn1YOpwqBGP/NlKDVmKOCem7tvAgMB
AAGjgZ4wgZswagYDVR0jBGMwYYAULffLTJtBlWrpR2I1Coc4OG3funyhRqREMEIxCzAJBgNVBAYT
AktSMRYwFAYDVQQKDA1EcmVhbVNlY3VyaXR5MQwwCgYDVQQLDANTU08xDTALBgNVBAMMBFJPT1SC
AQEwHQYDVR0OBBYEFPvKSaxuZMLnM8ZqaFFkw0xeDp8CMA4GA1UdDwEB/wQEAwIGwDANBgkqhkiG
9w0BAQsFAAOCAQEAflCL2e6ZHxGDtK6PSjrGrhrkJ4XYHvKGnEWWajhL0RqqDoQhEAOAzEyGMcpQ
zWBF6etI+uDlnr7EfPCAojvwfcQCEGK4gCHskHHDkXNz5MAC2sSHqVEn/ChAO9nRnTRo4EZlFVgH
SXIDJqeWZd2wJ86u9cqA6XTyB/KuVwnTD2U/1W87ERpKlXtDNnC5hB3cp1ONaW+0+Fnn4NdSgMQd
SwteL/CtU+q/gcYt1izy1RGdcDRR11+nmfkZT6UYCyKj0ea0yc4SbRjGIEOgJExDJBL8eyc4X2D3
4k6B4rhPzx+vF1OB1esHB69T6Vlo+iUM+XtoLFUOhloNiDzXq+2Hgg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_93ae10442348482eb51b04051c58267a" IssueInstant="2024-06-20T01:56:14.199Z" Version="2.0"><saml2:Issuer>http://hive.dreamidaas.com</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="http://hive.dreamidaas.com" SPNameQualifier="RTNB336">rladnrud@devdreamsso.site</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="RTNB336.21.0882C4AC-681F-4648-AD0F-FDD9F4BE114B" NotOnOrAfter="2024-06-20T02:01:14.199Z" Recipient="http://RTNB336:8000/saml/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2024-06-20T01:56:14.199Z" NotOnOrAfter="2024-06-20T02:01:14.199Z"><saml2:AudienceRestriction><saml2:Audience>RTNB336</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2024-06-20T01:55:52.000Z" SessionIndex="_8028c81d727dcc5a423afa58c645b8c5"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></samlp:Response>

 

There's no problem in my IDP. I don't know why Splunk can't verify signature properly

Labels (3)
0 Karma