Signature validation failed. Everything seems right, though.

[fingermark]

I upgrade to MacOS the other day and revisisted an old project. I now get "Signature validation failed." I tried upgrading to the 2.2.0 release, but get the same thing. Do you all see anything wrong with this?

All values printed from variables defined in validate_node_sign

Cert

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

validatecert

False

signature_node

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id631044246120230029603131"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>...</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>...</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>

Node verification error:

('verifying failed with return value', -1)

Signature validation failed. SAML Response rejected

xmldsig.c:871(xmlSecDSigCtxProcessKeyInfoNode) errno=45
xmldsig.c:565(xmlSecDSigCtxProcessSignatureNode) subject=xmlSecDSigCtxProcessKeyInfoNode
xmldsig.c:366(xmlSecDSigCtxVerify) subject=xmlSecDSigCtxSignatureProcessNode

[fingermark]

#define XMLSEC_ERRORS_R_KEY_NOT_FOUND 45

[pitbulk]

Try to use xmlsec directly:

xmlsec --verify --X509-skip-strict-checks --id-attr:ID Assertion --id-attr:ID Response  --trusted-pem cert.crt response.xml

or

xmlsec1 --verify -id-attr:ID Assertion --id-attr:ID Response --trusted-pem cert.crt  response.xml

Also check if https://www.samltool.com/validate_response.php is able to validate your response.

[fingermark]

@pitbulk thanks a lot for the reply. Both xmlsec and samltool's have successfully validated the XML using that cert.

I'm using:

• libxmlsec1: stable 1.2.20
• dm.xmlsec.binding==1.3.2
• lxml==3.6.4

Just really confused

[pitbulk]

It should be some issue with the lxml and libxmlsec lib. I need to spend time and investigate but right now kinda bussy with other issues on the other toolkits.

[fingermark]

@pitbulk this is really weird. I don't know enough about python to understand what's going on. If I simplify the example, it fails with the same error. But, once I comment out the parseString import, it succeeds.

from defusedxml.lxml import tostring, fromstring
from os.path import basename, dirname, join

# !!!!!!!!!!!!!!!!!!!!
# Uncomment this line and it fails
# !!!!!!!!!!!!!!!!!!!!
#from defusedxml.minidom import parseString

import dm.xmlsec.binding as xmlsec

xml = """<insert xml>"""

pem = """-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----"""

def print_xmlsec_errors(filename, line, func, error_object, error_subject, reason, msg):
    """
    Auxiliary method. It overrides the default xmlsec debug message.
    """

    info = []
    if error_object != "unknown":
        info.append("obj=" + error_object)
    if error_subject != "unknown":
        info.append("subject=" + error_subject)
    if msg.strip():
        info.append("msg=" + msg)
    if reason != 1:
        info.append("errno=%d" % reason)
    if info:
        print "xmlsec1 -- %s:%d(%s)" % (filename, line, func), " ".join(info)

def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False):
    try:
        xmlsec.initialize()
        xmlsec.set_error_callback(print_xmlsec_errors)

        xmlsec.addIDs(elem, ["ID"])

        print "--- Signature Node ---"
        print tostring(signature_node)
        print "+++ Signature Node +++"

        #file_name = "/Users/fingermark/cacert.pem"

        dsig_ctx = xmlsec.DSigCtx()
        #signKey = xmlsec.Key.load(file_name, xmlsec.KeyDataFormatCertPem, None)
        signKey = xmlsec.Key.loadMemory(pem, xmlsec.KeyDataFormatCertPem)
        #signKey.name = basename(file_name)
        dsig_ctx.signKey = signKey
        print "signKey.name: %s" % signKey.name

        dsig_ctx.setEnabledKeyData([xmlsec.KeyDataX509])
        dsig_ctx.verify(signature_node)

        print "verified"

        return True
    except Exception as err:
        print "Node verification error:"
        print err.__str__()
        return False

if __name__ == "__main__":
    elem = fromstring(xml)
    node = elem.find(".//{%s}Signature" % xmlsec.DSigNs)
    print validate_node_sign(node, elem)

[pitbulk]

that really weird.

[fingermark]

Yeah, the same code works on my linux server.

And

#from defusedxml.minidom import parseString # <-- does not work
from xml.dom.minidom import parseString # <-- works just fine

[pitbulk]

have you tried python3-saml? It does not use defusedxml

[rmharris157]

Hi. I'm having a similar issue with trying to setup python-saml (also tried python3-saml) to work with ADFS 2.0 and no matter what I try I can't seem to get past the Signature Validation Failed--the assertion is coming back as auth sucessful, but python-saml refuses to accept the x509 cert (or fingerprint) for the response. Does the system work with self-signed certs? I've tried the validation tools online and the returned document is valid.

I think I've tried everything, but I'm not convinced that I'm not doing something boneheaded. Should I create another issue thread or can I contact your directly so as not spam the list? Thanks!

[pitbulk]

python-saml works with self-signed certs.

have you tried what @fingermark suggested? replacing

from defusedxml.minidom import parseString

by

from xml.dom.minidom import parseString

If you want, mail directly to me the base64 encoded SAMLResponse message, so I will be able to debug and see what is happening.

[rmharris157]

Thanks for the help. I know you must be super busy. -R <samlp:Response ID="_37ca4253-00ad-453a-b128-ad7db0d0776c" Version="2.0" IssueInstant="2016-11-29T16:00:24.735Z" Destination="https://mascot.arbitraria.org/?acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_0f066a9a228df19be13582dd8a1fc2018f47286f" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://winsrv.arbitraria.org/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_3b88cb5e-789e-46e5-bc92-6bad8bb4116a" IssueInstant="2016-11-29T16:00:24.735Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://winsrv.arbitraria.org/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_3b88cb5e-789e-46e5-bc92-6bad8bb4116a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>qH6sxK7pMoZGD9upzm2gV6OFppQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>BctpKq3gr7FKe0+TzRageR4xDwsjqIuapopyavLS9zsbEXYEuki3KngvWBDy6wRzMDn5MdMTVWdeQY4CcNaZ7O98CfUTKWd944K9PMXxhyU5JwyXB/S5a/Shsy7hW61JXJl8XzWaeNAUhHYLPsBPYBkyQfbylR3XEX0or4d3rL1PX/W0Dk+tifginJHjkUjlTOr7it/7jff1yIHdWJLbH5icoYx0YPgJC8VUp3USaJsTKVxe/hBPFqbKVhk5f6chMALZ5/axm+PCaZHBK3xTwjwuKLCcEBll1qT4y+jnwTpxlIAAAANhsuC67Yh7ByAZiHwB0W6nSQiyYOEmclFgDg==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC5jCCAc6gAwIBAgIQW2JGfKOyL7hHZu4anVus0jANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwHhcNMTYxMTI4MDYwNDQ4WhcNMTcxMTI4MDYwNDQ4WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrM3zghAs4QfHBQe6sX+QzaHtoi8CrEDDqxMFnYnRkgJjwYL88GfYkmYkDhkMvlQZnZnwBGJ4enH6v4fawixIaxj93RradnYRfk/NNQyF9zrpuKxL4DR1g3Yugs1uiqM2MB+9b6MaXR8j1XStakZy3g/oZjIFV0qT2BBd3EKrFFJ7Y1Zx4K3cSbRYqISTHG5ZkHMt11SfjmF+ZunIYNygcP81ibvs5AAq7ZZxqxdsjamhdnUjBYApOOluTzw1kcIraw8nJ3whu8PcEK931LpenQW2E6P5D/f31rVXNsHMfi/8BQYfV7+cLu3RZ0Ob7SnO2Vc1bE56a1QP3cvyjuJC3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJQACvfjjiKw3WFGlam0b1UTJwqKKYTnABoUdZ6pFmm23/6MsBuIM+xPTiqwPOB2wy+ZJlU1T3CJuzQ+ENjoXf5IC9WhoZ9K4WFKvTYqbYK2T7iiLNX+oVtI8rArAS1+JvOTAAcIMQjuDe4o8YdX8Y2OtjX19xB0WpRNnIk2rajKkwuMg/NKW+5xSII9IGz8tlG/YT7Q17gGn73joJkujOCwWwBew2NtGBRshao0Tkd2fLRCBESNPSm8nsqJVNOu+uoAfKoigh/2e+xFIyaoCTMy5RmBNpYKl/scx3SxmsU44hlJAcX/QD8ScWRepWWDgwo5Fza2pEcCJ3BBwejw0s=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ARBITRARIA\roberhr</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="ONELOGIN_0f066a9a228df19be13582dd8a1fc2018f47286f" NotOnOrAfter="2016-11-29T16:05:24.735Z" Recipient="https://mascot.arbitraria.org/?acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2016-11-29T16:00:24.735Z" NotOnOrAfter="2016-11-29T17:00:24.735Z"><AudienceRestriction><Audience>urn:mascot:arbitraria.org</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="groups"><AttributeValue>AWS-12345-Admin</AttributeValue><AttributeValue>AWS</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2016-11-29T16:00:24.672Z" SessionIndex="_3b88cb5e-789e-46e5-bc92-6bad8bb4116a"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

…

On Nov 29, 2016, at 10:56 AM, Sixto Martin ***@***.***> wrote: python-saml works with self-signed certs. If you want, mail directly to me the base64 SAMLResponse message, so I will be able to debug and see what happening. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#166 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AMQSR6G_1bHnF4pPlhYWQacNvre3gomuks5rDEs-gaJpZM4KfJc4>.

[pitbulk]

@rmharris157 can you provide the base64 encoded version rather than in plain text?
(I want the original SAMLResponse, to avoid any possible issue of copy&pasting, since a simple extra space will invalidate the signature validation process)

[rmharris157]

Sorry, misread that. FWIW, I was using base64.b64decode() so hopefully that part was ok. -R PHNhbWxwOlJlc3BvbnNlIElEPSJfNTZiNWVkZmQtNWE5MS00YzY3LWI5NjEtMDk4YjdmYTZhNmE2IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0xMS0yOVQxNjowNjowNi43OTBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9tYXNjb3QuYXJiaXRyYXJpYS5vcmcvP2FjcyIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fOTkzMTg1OGIwZWMwODE2Y2M2Mzk3NDBkYTdiYzk2YTI5NmNmZjBkZiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PElzc3VlciB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3dpbnNydi5hcmJpdHJhcmlhLm9yZy9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPjwvc2FtbHA6U3RhdHVzPjxBc3NlcnRpb24gSUQ9Il9jOWUxMDE0ZC1lMTQ4LTQyMDgtOTc5Yy02ODk1YTA3ZjU4NzciIElzc3VlSW5zdGFudD0iMjAxNi0xMS0yOVQxNjowNjowNi43OTBaIiBWZXJzaW9uPSIyLjAiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48SXNzdWVyPmh0dHA6Ly93aW5zcnYuYXJiaXRyYXJpYS5vcmcvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiIC8+PGRzOlJlZmVyZW5jZSBVUkk9IiNfYzllMTAxNGQtZTE0OC00MjA4LTk3OWMtNjg5NWEwN2Y1ODc3Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIiAvPjxkczpEaWdlc3RWYWx1ZT5ZS2VCcmJuU1N3L3RNOVNkYVkyOStHM1ZaaUU9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkxUNDlMVG5SbGRzT09vOXYrNDRUdmo1aGpOMTVGV3Q1RlhCakVSa1RMQ3Z4eDV3a2dDTE05ckJVcDkyUXFTb0Z3SFY3eTFwQXNGZ1Rvc0lQQzdtRU0vTlF3OTVELzl0RlhZVEx1SHpIZzhvcWdMVkZpUjlKYk9oMVlsSmkzMkQwWElsM2cvUmdGcWc2d2ZoeEdlQi9BeDB2dURDeGhCRGF3STUrR0s1VmtBRWxvb09wVUxtSCtFZ0lCUTJMaHlLNnl5NGhUQVVlZzdQeTFXMTd1Z0laT20wV1lydkZUS0RaQytlRlVKWDFFeThzTGtoTk9pYm1ROG16Z1BPbzN0cFlhUzhlU2xvMTJJZTdrazlSKzk4SWwwdXlwc0JBbjczVHpXa1hMZzJxc3VZK0NEeCtVaktZRVU4TEtwSVErL3pQUE1IZS9VSDdJaTNiUDZSZ0s0NjlrQT09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzVqQ0NBYzZnQXdJQkFnSVFXMkpHZktPeUw3aEhadTRhblZ1czBqQU5CZ2txaGtpRzl3MEJBUXNGQURBdk1TMHdLd1lEVlFRREV5UkJSRVpUSUZOcFoyNXBibWNnTFNCWFNVNVRVbFl1WVhKaWFYUnlZWEpwWVM1dmNtY3dIaGNOTVRZeE1USTRNRFl3TkRRNFdoY05NVGN4TVRJNE1EWXdORFE0V2pBdk1TMHdLd1lEVlFRREV5UkJSRVpUSUZOcFoyNXBibWNnTFNCWFNVNVRVbFl1WVhKaWFYUnlZWEpwWVM1dmNtY3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDck0zemdoQXM0UWZIQlFlNnNYK1F6YUh0b2k4Q3JFRERxeE1GblluUmtnSmp3WUw4OEdmWWttWWtEaGtNdmxRWm5abndCR0o0ZW5INnY0ZmF3aXhJYXhqOTNScmFkbllSZmsvTk5ReUY5enJwdUt4TDREUjFnM1l1Z3MxdWlxTTJNQis5YjZNYVhSOGoxWFN0YWtaeTNnL29aaklGVjBxVDJCQmQzRUtyRkZKN1kxWng0SzNjU2JSWXFJU1RIRzVaa0hNdDExU2ZqbUYrWnVuSVlOeWdjUDgxaWJ2czVBQXE3Wlp4cXhkc2phbWhkblVqQllBcE9PbHVUencxa2NJcmF3OG5KM3dodThQY0VLOTMxTHBlblFXMkU2UDVEL2YzMXJWWE5zSE1maS84QlFZZlY3K2NMdTNSWjBPYjdTbk8yVmMxYkU1NmExUVAzY3Z5anVKQzNBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSlFBQ3ZmamppS3czV0ZHbGFtMGIxVVRKd3FLS1lUbkFCb1VkWjZwRm1tMjMvNk1zQnVJTSt4UFRpcXdQT0Iyd3krWkpsVTFUM0NKdXpRK0VOam9YZjVJQzlXaG9aOUs0V0ZLdlRZcWJZSzJUN2lpTE5YK29WdEk4ckFyQVMxK0p2T1RBQWNJTVFqdURlNG84WWRYOFkyT3RqWDE5eEIwV3BSTm5JazJyYWpLa3d1TWcvTktXKzV4U0lJOUlHejh0bEcvWVQ3UTE3Z0duNzNqb0prdWpPQ3dXd0JldzJOdEdCUnNoYW8wVGtkMmZMUkNCRVNOUFNtOG5zcUpWTk91K3VvQWZLb2lnaC8yZSt4Rkl5YW9DVE15NVJtQk5wWUtsL3NjeDNTeG1zVTQ0aGxKQWNYL1FEOFNjV1JlcFdXRGd3bzVGemEycEVjQ0ozQkJ3ZWp3MHM9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+QVJCSVRSQVJJQVxyb2JlcmhyPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl85OTMxODU4YjBlYzA4MTZjYzYzOTc0MGRhN2JjOTZhMjk2Y2ZmMGRmIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMTEtMjlUMTY6MTE6MDYuNzkwWiIgUmVjaXBpZW50PSJodHRwczovL21hc2NvdC5hcmJpdHJhcmlhLm9yZy8/YWNzIiAvPjwvU3ViamVjdENvbmZpcm1hdGlvbj48L1N1YmplY3Q+PENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTExLTI5VDE2OjA2OjA2Ljc5MFoiIE5vdE9uT3JBZnRlcj0iMjAxNi0xMS0yOVQxNzowNjowNi43OTBaIj48QXVkaWVuY2VSZXN0cmljdGlvbj48QXVkaWVuY2U+dXJuOm1hc2NvdDphcmJpdHJhcmlhLm9yZzwvQXVkaWVuY2U+PC9BdWRpZW5jZVJlc3RyaWN0aW9uPjwvQ29uZGl0aW9ucz48QXR0cmlidXRlU3RhdGVtZW50PjxBdHRyaWJ1dGUgTmFtZT0iZ3JvdXBzIj48QXR0cmlidXRlVmFsdWU+QVdTLTEyMzQ1LUFkbWluPC9BdHRyaWJ1dGVWYWx1ZT48QXR0cmlidXRlVmFsdWU+QVdTPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48L0F0dHJpYnV0ZVN0YXRlbWVudD48QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE2LTExLTI5VDE2OjA2OjA2LjcxMVoiIFNlc3Npb25JbmRleD0iX2M5ZTEwMTRkLWUxNDgtNDIwOC05NzljLTY4OTVhMDdmNTg3NyI+PEF1dGhuQ29udGV4dD48QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=

…

On Nov 29, 2016, at 11:04 AM, Sixto Martin ***@***.***> wrote: @rmharris157 <https://github.com/rmharris157> can you provide the base64 encoded version rather than in plain text? (I want the original SAMLResponse, to avoid any possible issue of copy&pasting) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#166 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AMQSR1UrnU_flEKrqm7GCEt8SvmwKpMCks5rDE0cgaJpZM4KfJc4>.

[pitbulk]

Hi @rmharris157

sorry for the delay.

I was able to validate directly your response using the followed test:

1. I added your response to tests/data/responses/issue164.xml.base64
2. I edited tests/src/Onelogin/saml2_tests/utils_test.py and in the last test method (testValidateSign) added:

        issue164_xml = b64decode(self.file_contents(join(self.data_path, 'responses', 'issue164.xml.base64')))
        cert164 = OneLogin_Saml2_Utils.format_cert("""MIIC5jCCAc6gAwIBAgIQW2JGfKOyL7hHZu4anVus0jANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwHhcNMTYxMTI4MDYwNDQ4WhcNMTcxMTI4MDYwNDQ4WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrM3zghAs4QfHBQe6sX+QzaHtoi8CrEDDqxMFnYnRkgJjwYL88GfYkmYkDhkMvlQZnZnwBGJ4enH6v4fawixIaxj93RradnYRfk/NNQyF9zrpuKxL4DR1g3Yugs1uiqM2MB+9b6MaXR8j1XStakZy3g/oZjIFV0qT2BBd3EKrFFJ7Y1Zx4K3cSbRYqISTHG5ZkHMt11SfjmF+ZunIYNygcP81ibvs5AAq7ZZxqxdsjamhdnUjBYApOOluTzw1kcIraw8nJ3whu8PcEK931LpenQW2E6P5D/f31rVXNsHMfi/8BQYfV7+cLu3RZ0Ob7SnO2Vc1bE56a1QP3cvyjuJC3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJQACvfjjiKw3WFGlam0b1UTJwqKKYTnABoUdZ6pFmm23/6MsBuIM+xPTiqwPOB2wy+ZJlU1T3CJuzQ+ENjoXf5IC9WhoZ9K4WFKvTYqbYK2T7iiLNX+oVtI8rArAS1+JvOTAAcIMQjuDe4o8YdX8Y2OtjX19xB0WpRNnIk2rajKkwuMg/NKW+5xSII9IGz8tlG/YT7Q17gGn73joJkujOCwWwBew2NtGBRshao0Tkd2fLRCBESNPSm8nsqJVNOu+uoAfKoigh/2e+xFIyaoCTMy5RmBNpYKl/scx3SxmsU44hlJAcX/QD8ScWRepWWDgwo5Fza2pEcCJ3BBwejw0s=""")
        self.assertTrue(OneLogin_Saml2_Utils.validate_sign(issue164_xml, cert164))

I also tested validating the whole response, and worked:

3. I edited tests/src/Onelogin/saml2_tests/response_test.py and in the test method (testIsValidSign) added:

        settings164data = self.loadSettingsJSON()
        settings164data['strict'] = False
        settings164data['idp']['entityId'] = 'http://winsrv.arbitraria.org/adfs/services/trust'
        settings164data['idp']['x509cert'] = """MIIC5jCCAc6gAwIBAgIQW2JGfKOyL7hHZu4anVus0jANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwHhcNMTYxMTI4MDYwNDQ4WhcNMTcxMTI4MDYwNDQ4WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBXSU5TUlYuYXJiaXRyYXJpYS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrM3zghAs4QfHBQe6sX+QzaHtoi8CrEDDqxMFnYnRkgJjwYL88GfYkmYkDhkMvlQZnZnwBGJ4enH6v4fawixIaxj93RradnYRfk/NNQyF9zrpuKxL4DR1g3Yugs1uiqM2MB+9b6MaXR8j1XStakZy3g/oZjIFV0qT2BBd3EKrFFJ7Y1Zx4K3cSbRYqISTHG5ZkHMt11SfjmF+ZunIYNygcP81ibvs5AAq7ZZxqxdsjamhdnUjBYApOOluTzw1kcIraw8nJ3whu8PcEK931LpenQW2E6P5D/f31rVXNsHMfi/8BQYfV7+cLu3RZ0Ob7SnO2Vc1bE56a1QP3cvyjuJC3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJQACvfjjiKw3WFGlam0b1UTJwqKKYTnABoUdZ6pFmm23/6MsBuIM+xPTiqwPOB2wy+ZJlU1T3CJuzQ+ENjoXf5IC9WhoZ9K4WFKvTYqbYK2T7iiLNX+oVtI8rArAS1+JvOTAAcIMQjuDe4o8YdX8Y2OtjX19xB0WpRNnIk2rajKkwuMg/NKW+5xSII9IGz8tlG/YT7Q17gGn73joJkujOCwWwBew2NtGBRshao0Tkd2fLRCBESNPSm8nsqJVNOu+uoAfKoigh/2e+xFIyaoCTMy5RmBNpYKl/scx3SxmsU44hlJAcX/QD8ScWRepWWDgwo5Fza2pEcCJ3BBwejw0s="""
        settings164data['sp']['entityId'] = 'urn:mascot:arbitraria.org'
        settings164data['sp']['assertionConsumerService']['url'] = 'https://mascot.arbitraria.org/?acs'

        settings164 = OneLogin_Saml2_Settings(settings164data)
        issue164_xml = self.file_contents(join(self.data_path, 'responses', 'issue164.xml.base64'))
        response_164 = OneLogin_Saml2_Response(settings164, issue164_xml)
        request_data = {
            'http_host': 'mascot.arbitraria.org',
            'script_name': '?acs'
        }
         self.assertTrue(response_164.is_valid(request_data))

I will keep investigating. but the toolkit is able to validate that response

[RD1991]

Same issue,

Raw response :
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0\r\nYzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6\r\nbmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJSNGU4YzJhZmM2ZjAy\r\nZjRiOWM4MzQ4YzY5NzFmY2ZiN2Y2MmYxMDkzZSIgVmVyc2lvbj0iMi4wIiBJ\r\nc3N1ZUluc3RhbnQ9IjIwMTctMDItMTBUMTM6MDg6MzlaIiBEZXN0aW5hdGlv\r\nbj0iaHR0cHM6Ly8yMDMuMTA5LjEwMS40Njo1MDAwLz9hY3MiIEluUmVzcG9u\r\nc2VUbz0iT05FTE9HSU5fNzM4NDZiZjU0NmJjYTE5ZmE3NTk4M2ZkNDJlN2U5\r\nMGM0NGE2Mjg2NiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2lu\r\nLmNvbS9zYW1sL21ldGFkYXRhLzYyNjE3Mjwvc2FtbDpJc3N1ZXI+PHNhbWxw\r\nOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5h\r\nbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0\r\ndXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1l\r\nczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnhzPSJodHRwOi8vd3d3\r\nLnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3\r\nLnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4w\r\nIiBJRD0icGZ4MjI1ODdiMTYtNTA4OC05YjUwLTU5ZjQtMjliMmY3NGFkZDQx\r\nIiBJc3N1ZUluc3RhbnQ9IjIwMTctMDItMTBUMTM6MDg6MzlaIj48c2FtbDpJ\r\nc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEv\r\nNjI2MTcyPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJo\r\ndHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVk\r\nSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0\r\ndHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpT\r\naWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8y\r\nMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0i\r\nI3BmeDIyNTg3YjE2LTUwODgtOWI1MC01OWY0LTI5YjJmNzRhZGQ0MSI+PGRz\r\nOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93\r\nd3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJl\r\nIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3Jn\r\nLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6\r\nRGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAw\r\nMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+ZGVieVI1Rjlw\r\ncVhrZGdFRWhkU3JLMnN6RHVFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZl\r\ncmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5TR3dy\r\nOTNzWHM5T3RHeTFJaUF2ZGFTMm5GOSt1Q3lkU1JiVGwrTmRpcGk5bUtLb2JS\r\nc21uYm1ncHp1YWNYVHlWdGFqZFBrdEhFNFBLaTNadFhlYVBldmc4OU1PblJB\r\nUUNZM0p0bmFZejFoYmVCMEtDRzM4cnBvamhmeG9nbElqWUhkallqT3VQSlhj\r\nbmNMcDh4Nm9VbE5XSU5wVWR2RjkvcUZCUEd0SUhTbkZpQThmcE1zNHJFWGJP\r\nUE1tWDhtam9PZnFsbEtGNmN6N21oeWlRenQyNlN0SXFZWUxrSEdycGhlNWpP\r\nZDcvWFU4SG44K0F1NU8zK2RhbjZEZXdUNU1kTWl6STBPcWlEa3NsZmdzQ20w\r\nc2thVElqKzRQdHcxZGZtU0IwcmFEWklxdG5qbVVZL2pBOTZ5c0RLa2FXTXZV\r\nMWZQekxBZTFmV1NnczVETmxrVnFmdEE9PTwvZHM6U2lnbmF0dXJlVmFsdWU+\r\nPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+\r\nTUlJRUdqQ0NBd0tnQXdJQkFnSVVZZ3p4eTNuRWhyRkxmT1k4KzY2cUU1Sk1H\r\nR0l3RFFZSktvWklodmNOQVFFRkJRQXdXVEVMTUFrR0ExVUVCaE1DVlZNeEVU\r\nQVBCZ05WQkFvTUNFeHZZM1Z5YVhSNU1SVXdFd1lEVlFRTERBeFBibVZNYjJk\r\ncGJpQkpaRkF4SURBZUJnTlZCQU1NRjA5dVpVeHZaMmx1SUVGalkyOTFiblFn\r\nTVRBd05qWTNNQjRYRFRFM01ESXdPVEEyTURFMU9Wb1hEVEl5TURJeE1EQTJN\r\nREUxT1Zvd1dURUxNQWtHQTFVRUJoTUNWVk14RVRBUEJnTlZCQW9NQ0V4dlkz\r\nVnlhWFI1TVJVd0V3WURWUVFMREF4UGJtVk1iMmRwYmlCSlpGQXhJREFlQmdO\r\nVkJBTU1GMDl1WlV4dloybHVJRUZqWTI5MWJuUWdNVEF3TmpZM01JSUJJakFO\r\nQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdDlaMDZUcUUy\r\nVXVyWDVKSE92dDBHWnlLOHRtZlRSVXRMNUc3cVg3dWd6YWFrdXZZMkpZL3ln\r\nNGhnZmVXdmRocVhhUm9SdXZoeFk1U2RoaVhVRWYwOU5pZHFjeTdVcEtGdkxn\r\nNitud1FteWxYQktnZlNGN20wWTZuRUhzakF1bms4OUZ6elJnV0QxTjlwN1or\r\nNWZGOHhLWlhVWlBkU3draGliWlp4QmFaTVJVRHg4Z1c0WklpbzZreS9zZEpL\r\nWlYraXhNTmViWDBmUlpKcHNxSkZWZVpTUEtpSWZ6TzVUWWV5YVJtb3g3a05S\r\nMkxVTS9ScGtHQVpNRUtMZjZ5SG1jNnNOQlp3VGJTOEdxRitoOXBYVUM4V0hj\r\nVWg2cElpUzZhbzlBbnZSdy80NGpPMzRpZFBnQ1N3OUhBRGV2RlFPN2c1MXJZ\r\naFMzOTY1UjloeDlsWVRKdlVRSURBUUFCbzRIWk1JSFdNQXdHQTFVZEV3RUIv\r\nd1FDTUFBd0hRWURWUjBPQkJZRUZMdHBGVkRmNGkwL252ZWN4OE4rRThVVjVB\r\ndXNNSUdXQmdOVkhTTUVnWTR3Z1l1QUZMdHBGVkRmNGkwL252ZWN4OE4rRThV\r\nVjVBdXNvVjJrV3pCWk1Rc3dDUVlEVlFRR0V3SlZVekVSTUE4R0ExVUVDZ3dJ\r\nVEc5amRYSnBkSGt4RlRBVEJnTlZCQXNNREU5dVpVeHZaMmx1SUVsa1VERWdN\r\nQjRHQTFVRUF3d1hUMjVsVEc5bmFXNGdRV05qYjNWdWRDQXhNREEyTmplQ0ZH\r\nSU04Y3Q1eElheFMzem1QUHV1cWhPU1RCaGlNQTRHQTFVZER3RUIvd1FFQXdJ\r\nSGdEQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFmVHZ6OUMrVWcrRnBBVGRS\r\nN2VLaFY0TUJDNnppVWRaYkE3cTlidFB6aGx3REp5TUdZb3RobENQTlZIeUlV\r\nSnN2SkpFbG5rRXl1eUN4Z0RaVkVGR2UyeWlPMFRaNUoxckUxVWdpeGpsazdm\r\nTmNXazhvaFFNL1MvV2JCMkxZK2Q3N1FRYmVaSXprcURGaWFsa1NicytxSitx\r\nWTdrMm9iTktWZXZncVdlZURsNTVYK2ZkNS9BVEpiOUh4Q3JWM2djbWRwdDZq\r\nYklqamIzR3VmOFcyTlVOUTdmNXdtQ2RaZTRrMXFhcDNidnBGb3VRTEQrU3BV\r\nLzB0cnpyUTROdzJDbHlVRXVBL1JtcHFzbXNmUXRYZ0FrZjFsczZJckViLysx\r\nMDlCdytZT3BDM1B3TzlXbzJlTVlhNkdVVmJZWUxWbVdSdUVHOHdlVmp5TFh1\r\nMWEydkorVmZzVlE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURh\r\ndGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+\r\nPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6\r\nMS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5yYWplc2hAY29kaXRh\r\ndGlvbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRp\r\nb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVh\r\ncmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0\r\nZXI9IjIwMTctMDItMTBUMTM6MTE6MzlaIiBSZWNpcGllbnQ9Imh0dHBzOi8v\r\nMjAzLjEwOS4xMDEuNDY6NTAwMC8/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxP\r\nR0lOXzczODQ2YmY1NDZiY2ExOWZhNzU5ODNmZDQyZTdlOTBjNDRhNjI4NjYi\r\nLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48\r\nc2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0wMi0xMFQxMzowNToz\r\nOVoiIE5vdE9uT3JBZnRlcj0iMjAxNy0wMi0xMFQxMzoxMTozOVoiPjxzYW1s\r\nOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly8y\r\nMDMuMTA5LjEwMS40Njo1MDAwL21ldGFkYXRhLzwvc2FtbDpBdWRpZW5jZT48\r\nL3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48\r\nc2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDItMTBU\r\nMTM6MDg6MzhaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE3LTAyLTExVDEz\r\nOjA4OjM5WiIgU2Vzc2lvbkluZGV4PSJfNjg4MTlhZTAtZDFhMi0wMTM0LTYz\r\nZGEtMDJhMjY5YjNkMjhiIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0\r\naG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4w\r\nOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6\r\nQXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3Nh\r\nbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjxz\r\nYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6\r\nU0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJVc2VyLmVt\r\nYWlsIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93\r\nd3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0i\r\neHM6c3RyaW5nIj5yYWplc2hAY29kaXRhdGlvbi5jb208L3NhbWw6QXR0cmli\r\ndXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFt\r\nZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1l\r\nLWZvcm1hdDpiYXNpYyIgTmFtZT0ibWVtYmVyT2YiPjxzYW1sOkF0dHJpYnV0\r\nZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxT\r\nY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciLz48L3NhbWw6\r\nQXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2Fz\r\naXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBO\r\nYW1lPSJQZXJzb25JbW11dGFibGVJRCI+PHNhbWw6QXR0cmlidXRlVmFsdWUg\r\neG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1p\r\nbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDpBdHRyaWJ1\r\ndGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1l\r\nczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9IlVz\r\nZXIuTGFzdE5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0i\r\naHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhz\r\naTp0eXBlPSJ4czpzdHJpbmciPkRhcmFrPC9zYW1sOkF0dHJpYnV0ZVZhbHVl\r\nPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9\r\nInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6\r\nYmFzaWMiIE5hbWU9IlVzZXIuRmlyc3ROYW1lIj48c2FtbDpBdHRyaWJ1dGVW\r\nYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2No\r\nZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5SYWplc2g8L3Nh\r\nbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0\r\ncmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNw\r\nb25zZT4KCg==

SAML decoded response :

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R4e8c2afc6f02f4b9c8348c6971fcfb7f62f1093e" Version="2.0" IssueInstant="2017-02-10T13:08:39Z" Destination="https://203.109.101.46:5000/?acs" InResponseTo="ONELOGIN_73846bf546bca19fa75983fd42e7e90c44a62866">saml:Issuerhttps://app.onelogin.com/saml/metadata/626172</saml:Issuer>samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx22587b16-5088-9b50-59f4-29b2f74add41" IssueInstant="2017-02-10T13:08:39Z">saml:Issuerhttps://app.onelogin.com/saml/metadata/626172</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ds:SignedInfo<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx22587b16-5088-9b50-59f4-29b2f74add41">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>ds:DigestValuedebyR5F9pqXkdgEEhdSrK2szDuE=</ds:DigestValue></ds:Reference></ds:SignedInfo>ds:SignatureValueSGwr93sXs9OtGy1IiAvdaS2nF9+uCydSRbTl+Ndipi9mKKobRsmnbmgpzuacXTyVtajdPktHE4PKi3ZtXeaPevg89MOnRAQCY3JtnaYz1hbeB0KCG38rpojhfxoglIjYHdjYjOuPJXcncLp8x6oUlNWINpUdvF9/qFBPGtIHSnFiA8fpMs4rEXbOPMmX8mjoOfqllKF6cz7mhyiQzt26StIqYYLkHGrphe5jOd7/XU8Hn8+Au5O3+dan6DewT5MdMizI0OqiDkslfgsCm0skaTIj+4Ptw1dfmSB0raDZIqtnjmUY/jA96ysDKkaWMvU1fPzLAe1fWSgs5DNlkVqftA==</ds:SignatureValue>ds:KeyInfods:X509Datads:X509CertificateMIIEGjCCAwKgAwIBAgIUYgzxy3nEhrFLfOY8+66qE5JMGGIwDQYJKoZIhvcNAQEFBQAwWTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCExvY3VyaXR5MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTAwNjY3MB4XDTE3MDIwOTA2MDE1OVoXDTIyMDIxMDA2MDE1OVowWTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCExvY3VyaXR5MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTAwNjY3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9Z06TqE2UurX5JHOvt0GZyK8tmfTRUtL5G7qX7ugzaakuvY2JY/yg4hgfeWvdhqXaRoRuvhxY5SdhiXUEf09Nidqcy7UpKFvLg6+nwQmylXBKgfSF7m0Y6nEHsjAunk89FzzRgWD1N9p7Z+5fF8xKZXUZPdSwkhibZZxBaZMRUDx8gW4ZIio6ky/sdJKZV+ixMNebX0fRZJpsqJFVeZSPKiIfzO5TYeyaRmox7kNR2LUM/RpkGAZMEKLf6yHmc6sNBZwTbS8GqF+h9pXUC8WHcUh6pIiS6ao9AnvRw/44jO34idPgCSw9HADevFQO7g51rYhS3965R9hx9lYTJvUQIDAQABo4HZMIHWMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLtpFVDf4i0/nvecx8N+E8UV5AusMIGWBgNVHSMEgY4wgYuAFLtpFVDf4i0/nvecx8N+E8UV5AusoV2kWzBZMQswCQYDVQQGEwJVUzERMA8GA1UECgwITG9jdXJpdHkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMDA2NjeCFGIM8ct5xIaxS3zmPPuuqhOSTBhiMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAfTvz9C+Ug+FpATdR7eKhV4MBC6ziUdZbA7q9btPzhlwDJyMGYothlCPNVHyIUJsvJJElnkEyuyCxgDZVEFGe2yiO0TZ5J1rE1Ugixjlk7fNcWk8ohQM/S/WbB2LY+d77QQbeZIzkqDFialkSbs+qJ+qY7k2obNKVevgqWeeDl55X+fd5/ATJb9HxCrV3gcmdpt6jbIjjb3Guf8W2NUNQ7f5wmCdZe4k1qap3bvpFouQLD+SpU/0trzrQ4Nw2ClyUEuA/RmpqsmsfQtXgAkf1ls6IrEb/+109Bw+YOpC3PwO9Wo2eMYa6GUVbYYLVmWRuEG8weVjyLXu1a2vJ+VfsVQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>saml:Subject<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">emailid</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2017-02-10T13:11:39Z" Recipient="https://203.109.101.46:5000/?acs" InResponseTo="ONELOGIN_73846bf546bca19fa75983fd42e7e90c44a62866"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-02-10T13:05:39Z" NotOnOrAfter="2017-02-10T13:11:39Z">saml:AudienceRestrictionsaml:Audiencehttps://203.109.101.46:5000/metadata/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2017-02-10T13:08:38Z" SessionNotOnOrAfter="2017-02-11T13:08:39Z" SessionIndex="_68819ae0-d1a2-0134-63da-02a269b3d28b">saml:AuthnContextsaml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>saml:AttributeStatement<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.email"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">emailid</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="memberOf"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="PersonImmutableID"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.LastName"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">LastName</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.FirstName"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Name</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

[RD1991]

In saml2/response.py

            if has_signed_assertion and not OneLogin_Saml2_Utils.validate_sign(document_check_assertion, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH):

an exception is raised from this if condition.

[travelton]

I'm having the same issue described here.

from defusedxml.lxml import tostring, fromstring
from os.path import basename, dirname, join

from defusedxml.minidom import parseString

import dm.xmlsec.binding as xmlsec

xml = """XML"""

pem = """CERT"""

xmlsec1 -- xmldsig.c:871(xmlSecDSigCtxProcessKeyInfoNode) errno=45
xmlsec1 -- xmldsig.c:565(xmlSecDSigCtxProcessSignatureNode) subject=xmlSecDSigCtxProcessKeyInfoNode
xmlsec1 -- xmldsig.c:366(xmlSecDSigCtxVerify) subject=xmlSecDSigCtxSignatureProcessNode
Node verification error:
('verifying failed with return value', -1)
False

from defusedxml.lxml import tostring, fromstring
from os.path import basename, dirname, join

# Comment this line out...
# from defusedxml.minidom import parseString

import dm.xmlsec.binding as xmlsec

xml = """XML"""

pem = """CERT"""

verified
True

https://www.samltool.com/validate_response.php also validates just fine.

In utils.py, if I comment out

# from defusedxml.minidom import parseString

Signature validation still fails...

Signature validation failed. SAML Response rejected

Python: 2.7.10
OS: MacOS 10.12.2

$ pip freeze
defusedxml==0.4.1
dm.xmlsec.binding==1.3.2
Flask==0.10.1
isodate==0.5.4
itsdangerous==0.24
Jinja2==2.9.5
lxml==3.7.2
MarkupSafe==0.23
pudb==2017.1
Pygments==2.2.0
python-saml==2.2.1
urwid==1.3.1
Werkzeug==0.11.15

I will attempt to test on Linux tomorrow, and report back. Yup, works fine on Linux. This must be an OSX issue. Not sure how to debug from here. Any ideas?

[edufelipe]

@travelton I'm having the same issue here on OSX. Ever found a workaround?

[travelton]

@edufelipe Nope. I set up a free micro AWS Linux server for testing.

[edufelipe]

@travelton I did! All I had to do was update libxmlsec1 to version 1.2.4. It automatically started working on Mac :)

[chelexey]

I've got the same issue.
Doesn't work on MacOS (Sierra) and fails with an error:

Signature validation failed. SAML Response rejected

/onelogin/saml2/utils.py:

def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False):
....
        try:
            dsig_ctx.verify(signature_node)  # fails here
        except Exception as err:

Libs: python-saml v.2.2.3 and libxmlsec1 v.1.2.20 (installed with brew).

BUT signature validation (same project with the same settings, no changes) works well on Ubuntu.

[edufelipe]

@chelexey: brew installs a broken version of libxmlsec1. You have to manually update it to version 1.2.4 and everything starts working as expected :)

[chelexey]

@edufelipe Do you mean I have to downgrade with brew? Can you share the solution how you did that (it seems there is no packages except of 1.2.20)? Thanks in advance.

[chelexey]

I've fixed an issue with libxmlsec1 and signature verification in MacOS (i.e. "Signature validation failed. SAML Response rejected") this way :

1. Prepare brew libs:

• brew uninstall libxmlsec1 --force (remove libxmlsec1 v.1.2.20, it's broken)
• brew install libxml2 openssl (check these libs also present)

2. Download xmlsec and compile/install from sources https://www.aleksey.com/xmlsec/download.html . The latest stable XML Security Library version is 1.2.24 and it works like a charm:

Prepare environment:
NB: openssl formula is keg-only, which means it was not symlinked into /usr/local

• add it in your PATH, run in Terminal:
  echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile
• For compilers to find openssl you need to set:
  export LDFLAGS=-L/usr/local/opt/openssl/lib
export CPPFLAGS=-I/usr/local/opt/openssl/include

Install xmlsec:

• gunzip -c xmlsec1-xxx.tar.gz | tar xvf -
• cd xmlsec1-xxxx
• ./configure
• make
• make install

And that's all.

[jerkyrs]

I know this is a dead thread but for anyone who does see an error on a python 2.7 environment with python-saml to overcome it you can try this

ARCHFLAGS='-arch x86_64' pip install python-saml

Specifically this occurs on python 2.7 Centos 7 x86_64 with error

cannot import name DSigNs

Relates to #30

[poojated]

after adding prefix in saml xml doc i am getting signature validation failed error