Projet

Général

Profil

Support #29663

Lasso Error 440 while receiving SAML response from AzureAD

Ajouté par Marko Rautenberg il y a 2 mois. Mis à jour il y a 2 mois.

Statut:
Nouveau
Priorité:
Normal
Assigné à:
-
Catégorie:
SAMLv2
Version cible:
-
Début:
11 jan. 2019
Echéance:
% réalisé:

0%

Patch proposed:
Non

Description

Hi Entrouvert Team,

I hope you can help.

I have a Problem while configuring SAMl SSO for Apache with Azure AD as IdP.
For Apache mod_auth_mellon is used, which uses lasso as SSO library (lasso version 2.5.1).
The problem is as follows:

The redirect to the IdP works fine. After successful authentication the IdP sends the response to the SP (auth_mellon).
"auth_mellon" reported then:

Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success"

So that deals with LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE error.
The error occures in the mod_auth_mellon function "auth_mellon_handler.c" at lasso function: "lasso_login_process_authn_response_msg(login, saml_response)".

It does not matter if we use RSA-SHA1 or RSA-SHA256 as signing algorithm on IdP side.

I checked the SAML Response with the public (signing) key from Azure AD in an online SAML checker tool (https://8gwifi.org/samlverifysign.jsp)
The Signature is valid. (for SHA1 and SHA256)

Any ideas why lasso thinks the signature is invalid?

regards
Marko

Historique

#1 Mis à jour par Marko Rautenberg il y a 2 mois

additional information

the signatue is valid for the assertion verification not for the response or both.

kindest regards

Marko

#2 Mis à jour par Benjamin Dauvergne il y a 2 mois

Could you try to update to lasso 2.6.0 to see if it fixes your problem first ?

#3 Mis à jour par Marko Rautenberg il y a 2 mois

Hi together,

I updated the lasso version to 2.6.0, but unfortunately that did not helped very much.
The error-message is still the same.

KR
Marko

Formats disponibles : Atom PDF