OpenAM SSO SAML AuthnRequestsSigned error

Tagged: ServiceProvider AuthnRequestsSigned

This topic has 1 reply, 1 voice, and was last updated 4 months, 1 week ago by ricardosaracino.

Author

Posts
August 2, 2019 at 8:18 pm #26160

ricardosaracino
Participant

I am trying to set the _signing and encryption_ option on my SP metadata to have AuthnRequestsSigned="true" but my AM server keeps throwing the below Error in the /debug/Federation log

_Authentication Requests Signed_ option is the only one giving me issues.

Im running
> ForgeRock Access Management 6.5.2
> Tomcat 8.0.35
> openjdk version “1.8.0_212”

**AM Settings**

[![enter image description here][1]][1]

**Error Message**

`
libSAML2:08/02/2019 03:16:50:299 PM UTC: Thread[http-nio-80-exec-8,5,main]: TransactionId[f1638b0a-6687-4953-ae04-8ce8c9299079-62363]
ERROR: UtilProxySAMLAuthenticator.authenticate: authn request destination verification failed for
IdpEntity: http://x.canadacentral.cloudapp.azure.com:80/opensso
MetaAlias: /idp Destination: http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp
Location: http://x.canadacentral.cloudapp.azure.com:80/opensso/SSORedirect/metaAlias/idp
`

**SP Meta-data**

`xml
<?xml version=”1.0″?>
<md:EntityDescriptor xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata” validUntil=”2019-08-02T12:04:36Z”
cacheDuration=”PT604800S” entityID=”nestjs-sp-signed-0090″>

<md:SPSSODescriptor AuthnRequestsSigned=”false” WantAssertionsSigned=”true”
protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>
<md:KeyDescriptor use=”signing”>
<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<ds:X509Data>
<ds:X509Certificate>…
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use=”encryption”>
<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<ds:X509Data>
<ds:X509Certificate>…
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5″/>
</md:KeyDescriptor>

<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>

<md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
Location=”http://localhost:3000/auth/logout/callback”/>

<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
Location=”http://localhost:3000/auth/login/callback” index=”0″/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:1.0:profiles:browser-post”
Location=”http://localhost:3000/auth/login/callback” index=”1″/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact”
Location=”http://localhost:3000/auth/login/callback” index=”2″/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:1.0:profiles:artifact-01″
Location=”http://localhost:3000/auth/login/callback” index=”3″/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser”
Location=”http://localhost:3000/auth/login/callback” index=”4″/>
</md:SPSSODescriptor>

</md:EntityDescriptor>
`

**Passport Settings**

`js
export const samlPassportConf = {
issuer: ‘nestjs-sp-signed-0070’, // match metadata entityID

identifierFormat: ‘urn:oasis:names:tc:SAML:2.0:nameid-format:persistent’,

callbackUrl: ‘http://localhost:3000/auth/login/callback’,
entryPoint: ‘http://idp5.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp’,
logoutUrl: ‘http://idp5.canadacentral.cloudapp.azure.com/opensso/IDPSloRedirect/metaAlias/idp’,

privateCert: fs.readFileSync(‘cert/privatekey.pem’, ‘utf-8’),
decryptionPvk: fs.readFileSync(‘cert/privatekey.pem’, ‘utf-8’),
};

`

[1]: https://i.stack.imgur.com/zQIOo.png

August 2, 2019 at 8:35 pm #26161

ricardosaracino
Participant

Stack question

https://stackoverflow.com/questions/57330995/openam-sso-saml-authnrequestssigned-error?noredirect=1#comment101153234_57330995
Author

Posts