Loading

'The signature in the response is not valid' error in SAML Validator

Udgivelsesdato: Oct 13, 2022
Beskrivelse
If a SAML response that was successfully used to log into Salesforce is incorrectly decoded and passed to the SAML validator, the below error will be displayed:
"11. Validating the Signature
Is the response signed? true
Is the assertion signed? true
The reference in the response signature is valid
The signature in the assertion is not valid
The reference in the assertion signature is valid
Is the correct certificate supplied in the keyinfo? true
Signature or certicate problems
The signature in the response is not valid"

 
Løsning
If the SAML response has been formatted and contains additional whitespaces or lines, it won't pass the signature verification test performed by the SAML validator.

The SAML validator tool can validate SAML responses in plain text or base 64 encoded. The referenced error may occur if the SAML response has been incorrectly formatted. To validate a SAML assertion and avoid these issues you may use different tools. 

How to capture a base 64 SAML response using SAML tracer:
 
1. Open the SAML Tracer tool in Firefox
2. Initiate the SSO login to Salesforce in Firefox
3. Select the POST request (tagged SAML in orange) has the SAML Response
4. Copy the base 64 encoded SAML Response from under the Parameters Tab
5. Validate that in the SAML Validator 

How to capture a SAML response in plain text if IdP is Axiom (http://axiomsso.herokuapp.com/Home.action ):
 
1. Go to http://axiomsso.herokuapp.com/RequestSamlResponse.action
2. Fill in the details at Setup | Security Controls | Single Sign-On Settings
3. Request a SAML Response in Axiom
4. Validate the text in "Plain Text SAML Response" 
OR
4. Validate the text in "Base 64 Encoded SAML Response"

How to capture a SAML response in Fiddler:
1. Start capturing traces in Fiddler 
2. Initiate the SSO login to Salesforce
4. Look for a HTTP POST request with the SAML response in the trace. It'll most likely be the HTTPS protocol with <MyDomain>.my.salesforce.com or login.salesforcce.com as the host and as /?so=<OrgId> as the path. Example : /?so=00D00000000xxxx.
5. Go to WebForms tab. Body of the WebForms tab shows the encoded SAML Response
6. Right click the value to "Send to TextWizard"
7. Select option to Transform from Base64 
8. Validate the plain text Saml response or the Base64 encoded SAML Response that you sent to the TextWizard

These steps will allow you to validate correctly a SAML response:
'11. Validating the Signature
Is the response signed? true
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok'

 
Vidensartikelnummer

000388106

 
Indlæser
Salesforce Help | Article