Signature validation failed. Logout Response rejected
Environment
LemonLDAP::NG version: 2.0.8-1
Operating system: Ubuntu Xenial
Web server: Apache + fcgi
Summary
The Signature generated for a Logout SAMLResponse is invalid. It is not accepted by the SP and manual verification with OpenSSL fails aswell.
Logs
Include the logs using logLevel = debug if possible. Attach it as file if it's too big
Please tell me which logs are required. Here are the generated responses and relevant certificates:
SAML Logout Request:
fZJPj5swEMXv+ykQ94CJIYCVoK6UtkJKs2q220Mv1WAPfxqwqW2q7LevYRspW3V7nfH7vZk33hoY+pEdVKMme8KfExp753mXoZeGLb2dP2nJFJjOMAkDGmY5e7z/dGDrgLBRK6u46v1Xov9rwBjUtlNyFpX7nf9wfH94+Fgev2PFeYwJEAo1JSnlaULjvAYqKgFIaETyhCBNZuFX1MYxdr5DLiBjJiylsSCtK5I1WZHNitAvUcSimEXZt/nV3u3XSbCLsrV2NCwMewHjyhgVcDdXYM/QdDbgagjnXULTyabHa0LWbeYXjuR527nNFl9dXFm/Bg3Po+IrkgQaDYLm7b+5A1oQYCH8fGp/6KdDVV6a5tSE2/CWe+N0dEmWe++D0gPYtyOOgmipdGJVL08ZDtD190K4eYxfDG6koFUuvjPKd7Z9dueQZz2N4zzbH/cXrxv3kT06tYutlAIvBU2jvF4DjSDfzHeJ0iwmWSxIllOKCU/jCnMqNrjOoa7qnAteJZhmlNcASU5ebP6C3l2rr75j8Rs=
Entity ID of the source:
https://ldap-sso.cert.tkagit.com/saml/metadata
Target URL, Destination of the Logout Response:
https://vmraypoc-05.research.cert.tkagit.com/saml/slo/QRhjrULbIxggRg/
X.509 cert of the source (to check Signature):
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUUYN3XC7m4dXar/brk8ISh2e2qEYwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA2MDMwOTM3NThaFw0zMDA2
MDEwOTM3NThaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC8M/WmX68ejelVqlAH50Gy5RCWeKsL6Haa3WYyluZ+
oLAafD9ku3Mz1I35jpp8dpNwGfsADi9HfURcodWEqEPUFmGafJFjREL+eMrCrDky
1nmwrkaVBI61x4TyyoNPp2sUZLWnf0VVVt6jBq6/qXKjq2Ad9842RWaSmGztmvSl
oKd9p13vK8dla4q0S4jw97Bo63pvvemumtiDXWXBWf8LofUsCsZgCp8ARQg1SFIC
cEldmXA8SS8A3haAswkbl6T5SfQDTACNmpypx4LhK4ZGZ8uf/vXz6ASo6M9GmYXB
WNEYsM2LNZRX3Ym8gyNwA8HgesSkuIItgBpuPZSLzCHbAgMBAAGjUzBRMB0GA1Ud
DgQWBBT8pOguhoD1W8Eu/ApHJv7lszkqRzAfBgNVHSMEGDAWgBT8pOguhoD1W8Eu
/ApHJv7lszkqRzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCW
izPVhEQQDv1dyLAsRpSrRteL7QE1kGbXwJxWIfRERH6vAaI8B7vVU5qTeVD8G1gu
quKWPP6mFD0b9r8YGGFeX2xBCEJ5BUtWcrPBohztUmDpDUzOE3GVg3gJ8WAlinLt
AVSDV7YgiZLTdFy4rXEZCpZdQEafn9Mgz56xMtrPNvamcytLPXod4mty+Ss93qMw
sm6A8Dq2yxZ8gD5BQSuVNymdVk2ujXK7jCCFoXoi+E3r5Xtu4we7U5VZgDn8k/tt
I+v/VAO9pdcY1eW6NZ3jJYPKzIfH6g90G3NhhYoqdDkFQX1b8DRa77UVMeEYgmPp
eeEpCCpcsk7WCbMsMdYu
-----END CERTIFICATE-----
RelayState:
https://vmraypoc-05.research.cert.tkagit.com/login
Signature of the SAML Logout Response:
T0pCoEkZgAPkrOQM8t5rM2ipImbw3EQqXlt1hn+ZbUgo17+v6YpC6DPRT/IRa5deZmFfUn6m4Y2d8/ZIdQC+afRyApr6le0KvdVqjO9E93U8EklwEm93kwmpDlMcB8JPdQrCDE5JfwKw43BiijLWcnw9tkJIGTKpjtqOVVJ4Cbgyx6QgPf+QKsZLk2GgEaIzkccUdTzaKwOrvXb/dxCzkgl3s72a2jlm7/1+0/giiF9Gt/2JfelHI1AoKOqIS0PqjOAqX31aqZ/nwHreUqP3IElsAUk8NMD+/hEwSNAgh0wdDoL19M8Gq/0t7GNP9hehLBpu4D01MgVNd8PBzhZVjg==
SigAlg:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Tested via: https://www.samltool.com/validate_logout_res.php
Backends used
Backend: LDAP only (Authentication, User and Password) Use Case: only used for SAML 2 authentication on SP
Possible fixes
Unknown. SAML Auth is not used, only SAML Issuer.