How to debug an Invalid Signature on SAML Response

Question

We're using ruby-saml to establish our app as a service provider while using Google as an identity provider, though I do not think this question is specific to Ruby or that project.

I have seen this answer from the point of view of an IdP, but I'm hoping to see one from the point of view of an SP, because I have a hard time believing Google is getting the signature on the response wrong.

On top of that, we have successfully integrated with other Google accounts, and they work at the same time this one is broken.

As the service providers, how can we figure out the source of an Invalid Signature on SAML Response from the identity provider?

Answer 1

I ended up using the suggestion to use XMLSec in the answer I referenced in the question, and ran through the decoded base 64 response and the certificate(s) in the metadata file from Google.

That gave me the confidence that there was indeed something wrong with the certificates in the IdP metadata XML file that Google provided.

I then noticed that my working accounts only had 1 certificate in the file, while this one had two. So I removed one, and it did not work. Then I replaced it and removed the other, and it worked.

Then I found out that I could place both certs in the file as long as the working one was first.

I am not sure why there was a difference, and I do not know why Google outputs the certs in an order that XMLSec cannot use to verify the signature.

Perhaps someone with more knowledge than myself can chime in on that, but for now, I'm happy to report that simply reversing the order in which the certs appeared in the IdP metadata file from Google allowed the signature to be verified.

Answer 2

I needed to include this setting as well. YMMV, seems like the default algo is sha1, but the key and output that i was calculating using the openssl utility was using sha256:

settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha256"

Answer 3

We had same error, but different solution. Our problem was invalid characters in the xml response. Both parsing and validation failed. We could substitute the chars before parsing, but then the validation would still fail because of the changed content. The solution was to base64 decode the response, and open the xml response in an editor (or online xml validator) to find the problematic data. In our case: attribute name "objectSid" from AD. We then changed the simplesamlphp config so that it sent only the data we needed. Now the response validates and parses without problems. Btw in "settings.idp_cert" (using ruby-saml gem) we include both the "begin certificate and end certificate headers".

Also there are browser add-ons that will intercept the saml conversations for debugging purposes.

Also check this for online troubleshooting:

validate response: https://www.samltool.com/validate_response.php (be careful not to paste your private keys online. only public cert is needed for response validation)

validate xml: https://www.xmlvalidation.com

online base64 decode: https://www.samltool.com/base64.php