[SAML] Upgrade 2.0.7 > 2.0.9 led some SAML SPs not working unless Check SSO message signature is disabled
Concerned version
Version: %2.0.9-1
Platform: Apache / Debian GNU/Linux 9 (stretch) /Linux 4.9.0-13-amd64 #1 (closed) SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux
Summary
Since upgraded from 2.0.7 to 2.0.9, some SAML service providers can't be authenticated. Portal displays that an error occured during SAML messages signing (translation from french message : "Erreur lors de la gestion de la signature du message SAML") Other SAML SP are working fine.
I also checked the validity of the public keys provided in the metadatas (including my own just to be sure). They are still valid.
Logs
[LLNG:3781] [error] Lasso error code -1500: The provider has no known public key
[LLNG:3781] [error] Signature is not valid
[LLNG:3781] [debug] Returned error: 57 (PE_SAML_SIGNATURE_ERROR)
See attached error.log file
You will find attached concerned service providers metadata files.
Here is an URL encoded request from the SP
fZBbT4QwEEb%2FCun7llvirhMgIbImxGvcFY1vFRtoUlrsTEX%2FvcC%2BrC%2B%2BzznfyWQoBj1C6ak3T%2FLTS6SgkQ6VNTlLeMSCusrZ3m9fa7OvX26qj0vePF%2FHQ%2FO181v1Ps0HiF7WBkkYmpkoiTZxtEmjY7yDNIUo5hdJ%2BsaCanYrI2hV90QjQhiKeZgjWk5OjErz1g7hkhSiMp2WB9WZB8OC70EbhLU1Z94ZsAIVghGDRKAWDuXdLcy5MDpLtrWaFdlyDWucO%2BP%2FxwWidEshK6Zp4qP2TmhUXU9LWRaeOU8DI9zPkrp6tFq1P0GptZ2unBQkc0bOSxYWJ%2Brvj4tf&RelayState=CquY9iUTrVrkoL3B3yZBph61zAjsqR&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=W8cRNc4N77VJShg9SToCIm1xXvA%2BnJ3ZFv4xqqcRph3TiylsYzARUVy%2Bu8FbuRzRvUhzMbftA%2FWHPs9HFrk2qulbdWMu6iT9JAIgB6tLflM66BZwkJtxTpTmj0iie8iZFodgbPPQjZHVqjmQ5m9nS%2Fm0IxhZRcfwMIxYu2nsSHWYWlcU%2BK5fl%2FzNiX0uHuxfkWMrQyviuX0Mu60w1U8O8Trw%2FfYlvc6Sid9sMi195HZWBXvxzji8R7mEq4Q60YGL2xMrUnuNl1AHQU9bfUwIvtNe7Cqd0NkfjQ3hMXOmNxAS52%2BfrfvU8BBWyUNhtqz708Bs40r9H6FA3FoybV54eQ%3D%3D
Backends used
CONFIGURATION AND SESSIONS on PostrgreSQL DB AUTH BACKEND : ActiveDiretory
Possible fixes
The only workaround is to disable Check SSO message signature at the service provider level. Once disable Applications are authenticated as expected. But overtime it may not be secure !