[SAML] Upgrade 2.0.7 > 2.0.9 led some SAML SPs not working unless Check SSO message signature is disabled
Platform: Apache / Debian GNU/Linux 9 (stretch) /Linux 4.9.0-13-amd64 #1 (closed) SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux
Since upgraded from 2.0.7 to 2.0.9, some SAML service providers can't be authenticated. Portal displays that an error occured during SAML messages signing (translation from french message : "Erreur lors de la gestion de la signature du message SAML") Other SAML SP are working fine.
I also checked the validity of the public keys provided in the metadatas (including my own just to be sure). They are still valid.
[LLNG:3781] [error] Lasso error code -1500: The provider has no known public key [LLNG:3781] [error] Signature is not valid [LLNG:3781] [debug] Returned error: 57 (PE_SAML_SIGNATURE_ERROR) See attached error.log file
You will find attached concerned service providers metadata files.
Here is an URL encoded request from the SP
CONFIGURATION AND SESSIONS on PostrgreSQL DB AUTH BACKEND : ActiveDiretory
The only workaround is to disable Check SSO message signature at the service provider level. Once disable Applications are authenticated as expected. But overtime it may not be secure !