Signature verification fail on SP side received artifact message
I configured LL::NG as SP and IDP with just the default options.
So the SP use REDIRECT SSO binding to send authn request to IDP. This request is well parsed on IDP, and it returns authn response trough ARTIFACT REDIRECT SSO binding. The artifact is managed by SP and it get the authn response from IDP trought SOAP (artifact classic resolution).
But the authn response signature verification failed on SP side:
{panel:title=SP error log} [Thu Aug 19 10:42:18 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: URL http://auth.vm1.lemonsaml.linagora.com/saml/proxySingleSignOnArtifact detected as an SSO assertion consumer URL [Thu Aug 19 10:42:18 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SAML method: HTTP-REDIRECT [Thu Aug 19 10:42:18 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: HTTP-REDIRECT: SAML Artifact RelayState=edc1c5e44278ec90316840940bae6603;SAMLart=AAQAAEt5X9iJAYImSziXSdQJn0mWaQUuOTY2MEZFRUMxQjY1ODM5MkUyMEI%3D [Thu Aug 19 10:42:18 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Send message <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:ArtifactResolve ID="_07103F2864BCDD1726F4E2E09E5B2693" Version="2.0" IssueInstant="2010-08-19T08:42:18Z" Destination="http://auth.vm2.lemonsaml.linagora.com/saml/artifact">saml:Issuerhttp://auth.vm1.lemonsaml.linagora.com/saml/metadata</saml:Issuer>\n\n\n\n\n\n\n\n\n\nO+mM1RuSCIEaUMYT6KEVbuWbh4U=\n\n\ncwtEjj7HW6n/V7ed4u1oGioECL4uMqsK8+UOtlh/gagoeaCskgOdHEFjxAIypfLM\nD+ct4iaUfOg+4duXlAtz9UK1HX3b3Hf90FdjqFT3e0R80lqFRb5Qlid2IIYLHth5\n/wSsxXT+Z0Lu6CS5Kk0esgU6A4843dNeVaN8sab/vy7PT0YyMJTOR8bBx7QMeoD8\nPo4HmjrnSt0lEb6Dr1OdI3gOiEmZXgShURvC3Le6OS/Kmq4c/MgiMXaDwxILv4p9\nb3khCUEhqDpv6KSyMfROBw7QWvePxFkkJ/0O+N784k8HNXoaw6r4zx7hpFNZJasW\nWjoqJG3ZCJ/mVv7y0GD8gQ==\nsamlp:ArtifactAAQAAEt5X9iJAYImSziXSdQJn0mWaQUuOTY2MEZFRUMxQjY1ODM5MkUyMEI=</samlp:Artifact></samlp:ArtifactResolve></s:Body></s:Envelope> to http://auth.vm2.lemonsaml.linagora.com/saml/artifact [Thu Aug 19 10:42:19 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get message <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:ArtifactResponse ID="_D50BE47AAB64E6C6112585FC1474D324" InResponseTo="_07103F2864BCDD1726F4E2E09E5B2693" Version="2.0" IssueInstant="2010-08-19T08:42:26Z">saml:Issuerhttp://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer>\n\n\n\n\n\n\n\n\n\nrvtVN1fg83U5HONJojiC+Q417t0=\n\n\nmrgFQbVOj1Z4VPL7/MjPPGMxomTcVxhsq2qVywArLob7BM1LY42Y1HHjNUgtaqbw\nTcXVe4rIO6/NScY3VZTBiycP9N3SL1mf+MDoL/D0XKX0CWVRh/gt6Tv503tvelc7\nns2Mt1O3LKP+vvcRQwDxIxVE3GjAhdjDDi+OLIi3J/4BdsrbXuV5RdqdW7jTH4KC\nuGVc+tmo0Xjr9cq6KYdHaFhmfH88zhEZFy/AJiZthUdJZuK53NPA+FIjV2h/eGa5\nyqmHY+Abl7FJei6tkC/iXR9gpOd2HIJjpuY5XV65Tvg+b/H58o9kjSO+AscNyTRO\n/P3lqI/ibGHpRAFcPOiYcg==\nsamlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><samlp:Response ID="_9A27740A587955615BB3C19F9494BF7F" InResponseTo="_5E1AC8AA297315D402A19733F9C9CB3D" Version="2.0" IssueInstant="2010-08-19T08:42:26Z">saml:Issuerhttp://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer>\n\n\n\n\n\n\n\n\n\nDIPXClWdz/ghoIFLl2IVSMzAIzk=\n\n\nGUg0Uudm2DtDITSzXx3xjJZoNxkTrlEBQmP+R+tGduzdTamEaIm1n8p/ez8BO9/s\nPNDuYxW2I56jFeTh89ObHbhxlgzJFFOygUqQ/EXmqk1PHvE5Lhg/O/VvoKnxA1eG\nz8WsYm6DWoqJJMSCkSLsY3pFcNqLWW9KMEZ5pPR47LAj3Y8+YGxEFMHNUR6ASnSi\nxlfvpK4aFEh99/HRAnMd0eMXN8XgD+5XzWLi414g9opcL6IIwUPH/STmFUNF2oaI\nbUw99V39q/+6jtKA2SuXvnWYT9QCOccxkCVa3aC6Vwvm/hHQSVCx84RCiuPHbtVy\nYBMZttePc94/Nkc63fSSWA==\nsamlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion Version="2.0" ID="_2FA4A6A7DB603CC922910A9D6596B417" IssueInstant="2010-08-19T08:42:26Z">saml:Issuerhttp://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer>\n\n\n\n\n\n\n\n\n\n2PcKv4GTW/js1495KE3VtG01kyk=\n\n\nI0G7zQHjOs15dVAchm2Wd7gfR+NYDEi2lcl1KilbClqyzioAQpgqSoeA5PrXqMQI\nlI3sVEkzij/LQw9Frx4fWbtizJ92HhTjOop6jtVrAJJE3YKtMiBc8dcnA4K0in54\nklfZcCrhLgrXJj/UCX8cALOGczUpfJDyK2JS6i8Eh3UPI21dDK3klCh9F3UpG1CX\nkx50owBc0eGwMoyzmg4ZbwsMwuB0GHRUc85mKcCmjC+Z0bmdh8rlUilbpHvi3MeQ\nUItPXC0lO540QliSneoAFI2ljKlC9+W7SYG5qIfVEQiqZytspetstqcjmJSz/4Dt\nCfuSW8eDzynQiAEzsUaNlQ==\nsaml:Subject<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">coudot@linagora.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData Recipient="http://auth.vm1.lemonsaml.linagora.com/saml/proxySingleSignOnArtifact" InResponseTo="_5E1AC8AA297315D402A19733F9C9CB3D"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2010-08-19T08:42:26Z" NotOnOrAfter="2010-08-20T04:42:26Z">saml:AudienceRestrictionsaml:Audiencehttp://auth.vm1.lemonsaml.linagora.com/saml/metadata</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2010-08-19T08:42:26Z" SessionIndex="wRTaC7m9FO/ripF9jKzM3nN3zCwUMQD9LFbjcsqUDsQ6ym/spcadnAVZU6z+aj5t" SessionNotOnOrAfter="2010-08-20T04:42:26Z">saml:AuthnContextsaml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>saml:AttributeStatement<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid">saml:AttributeValuecoudot</saml:AttributeValue></saml:Attribute><saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn">saml:AttributeValueCl\xc3\x83\xc2\xa9ment Oudot</saml:AttributeValue></saml:Attribute><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="mail">saml:AttributeValuecoudot@linagora.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response></samlp:ArtifactResponse></s:Body></s:Envelope> [Thu Aug 19 10:42:19 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SSO: authentication response is valid [Thu Aug 19 10:42:19 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Found entityID http://auth.vm2.lemonsaml.linagora.com/saml/metadata in SAML message [Thu Aug 19 10:42:19 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: http://auth.vm2.lemonsaml.linagora.com/saml/metadata match VM2 IDP in configuration [Thu Aug 19 10:42:19 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error code -111: Failed to verify signature. [Thu Aug 19 10:42:19 2010] [error] Signature is not valid {panel}