Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Response is expected to have two Transform elements (fails to validate) #284

Closed
d4z3x opened this issue May 28, 2020 · 1 comment
Closed
Labels
close_wait plan to close the issue after a respectable interval of inactivity

Comments

@d4z3x
Copy link

d4z3x commented May 28, 2020

I have a case with an in house SAML Provider, where it sends a SAMLResponse with the Assertion Encrypted, and while it is decoded properly, either the Response or Assertion must be signed is still thrown. Not sure if this is a bug, or I've missed something... Any advice would be appreciated.

Here're the relevant parts of the Response to show that there is a Signature in there:

   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#REDACTED"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>REDACTED</DigestValue></Reference></SignedInfo><SignatureValue>REDACTED</SignatureValue>
        <KeyInfo><X509Data><X509Certificate>REDACTED</X509Certificate></X509Data></KeyInfo>
    </Signature>

After applying Pull request 243, I can get past the either the Response or Assertion must be signed error, but now I get another one:

</samlp:Response> (now: 2020-05-29 07:07:31.962304267 +0000 UTC) cannot validate signature on Response: Expected Enveloped and C14N transforms

I took the SAMLResponse Base64 blob and validated it successfully on samltool.com. So I am really confused and beginning to hate my life and more so the in-house SAML IdP.

Here's the Transforms el:
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms>

@d4z3x d4z3x changed the title SAMLResponse with Encrypted Assertion is not detected Response is expected to have two Transform elements (fails to validate) May 29, 2020
@crewjam
Copy link
Owner

crewjam commented Aug 5, 2020

Can you provide the whole SAML response, with redactions if necessary. I'd trace through this and see if either of the findChild calls match against where your signature is in the response.

@crewjam crewjam added the close_wait plan to close the issue after a respectable interval of inactivity label Dec 14, 2020
@crewjam crewjam closed this as completed Apr 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
close_wait plan to close the issue after a respectable interval of inactivity
Projects
None yet
Development

No branches or pull requests

2 participants