Can't find the signature - Invalid document signature

[SkunSHD]

Why the signature can't be found?

I've checked the code during execution and saw that signatures was empty:

passport-saml/src/node-saml/saml.ts

Lines 710 to 712 in 6ba76ba

	if (signatures.length !== 1) {
	return false;
	}

Because an ID from Response didn't match URI from Reference

<saml2p:Response ID="K0WO32GJF96P5SJBU9I5V0YI53OBOCIUSG6G4RX9" ...>
    ...
    <ds:Reference URI="#Q65FHLGKK1SSG05I7UWVEQS5URLD0EUVKIP0GY06">

an excerpt from it:

const validateSignature = (fullXml, currentNode, certs) => {
    const xpathSigQuery = ".//*[" +
        "local-name(.)='Signature' and " +
        "namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#' and " +
        "descendant::*[local-name(.)='Reference' and @URI='#" +
        currentNode.getAttribute("ID") +
        "']" +
        "]";

    const signatures = exports.xpath.selectElements(currentNode, xpathSigQuery);

    // it fails here coz it's empty
    if (signatures.length !== 1) {
        return false;
    }
    ...
}

Content ofxpathSigQuery variable:
const xpathSigQuery = './/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#' and descendant::*[local-name(.)='Reference' and @URI='#K0WO32GJF96P5SJBU9I5V0YI53OBOCIUSG6G4RX9']]'

Content of fullXml argument:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://ppt2cf-8080.csb.app/login-idp/callback" ID="K0WO32GJF96P5SJBU9I5V0YI53OBOCIUSG6G4RX9" InResponseTo="_ed3b8b9d9b6bb14d1e9660ca902a8c0da7708c9e" IssueInstant="2023-06-23T05:40:25.157Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://ppt2cf-8080.csb.app/login-idp/callback</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="Q65FHLGKK1SSG05I7UWVEQS5URLD0EUVKIP0GY06" IssueInstant="2023-06-23T05:40:25.157Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://ppt2cf-8080.csb.app/login-idp/callback</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#Q65FHLGKK1SSG05I7UWVEQS5URLD0EUVKIP0GY06">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>yHH5fUXBy+hkTKCvhTutPTvzJc/vwNnlwE3tZiDVJBI=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>AWGSLsBapRN9O2YTOwb/HBe/kALxU6wmhNLoSNwb+UO1kFC50sMQ+wM8DDmR0Zgq08iB68Y8ckI5KXQZhFH0xUvgmt1gqB8NCXx3C7Zx9W0vhX+vEURkasBigybFSUWf22VqndUTIhHbS7/QXj+xi4C9Ujz3WLP8Txx+DGFc4GcnAIvD46YAzD0NhU65+T5sCoyTmVIQ3WcEpyQkvWjxvzAq3yTHj2YJ54w7c+X8RTtFMKh0aq48Ec+FJHpl1VdRx7vXkD089qpUpA6CvOZu88WlUJ9+82hF+JVRb10WG6TzVnw3IjrD5n6r2BmdnaGUQ9yG52CP+nk5auB7YCwnVg==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDgDCCAmgCCQCLAP0JHUDNijANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCVUExEDAOBgNVBAgMB0RvbmJhc3MxDTALBgNVBAcMBEtpZXYxEjAQBgNVBAoMCURpZ2l0YWxpczENMAsGA1UECwwERGV2czEMMAoGA1UEAwwDRGFuMSAwHgYJKoZIhvcNAQkBFhFkZW5pc0BheG9ub3BzLmNvbTAeFw0yMzA2MTIwMzI4MDRaFw0yNjA2MTEwMzI4MDRaMIGBMQswCQYDVQQGEwJVQTEQMA4GA1UECAwHRG9uYmFzczENMAsGA1UEBwwES2lldjESMBAGA1UECgwJRGlnaXRhbGlzMQ0wCwYDVQQLDAREZXZzMQwwCgYDVQQDDANEYW4xIDAeBgkqhkiG9w0BCQEWEWRlbmlzQGF4b25vcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA43efCJashd9GkzSK8hPtCZ1DburaGB6dow1wLVneAkidS7O7hnueGtbWGyKj7tMZ+6fh7cXl5DqtO/xu/Fz6LCT3EdGPCA3P+ozyqn62aF+qlQGm3QpR5sRVJ0/hYV5f5u883CR+72rV+S4xeXGISXuRqbobqnHnqB4f2rcT1tOpujXpMu2Awa+bjObjRGBCwkRvgIMGs0xbhbIiMPi35xqkWo7IfpFsFXXyHij+mdKBeaUOQEMHUJ2Xt6z8gYOMRy+hPxexYVTZl/chs918pWSMzU3uu3B+nzEXflJ8T4UMx2pYfnAFP7Ifccj2aQZm+p2GFnOc1TyE3iNTssJaqwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAP+/SKddgUzT+lLvBR3mQT++DuII2WLr4b7/kYMXp5ohOJsh3D7a2TbGxzHEsK7SNZ1kKjxUhlFJ9kLWUmn3AakPDl46C/b7E0FEmjVbU/H6kJw8BPrRj6zyMVZBNWpvi8IyhGDKAgfVHXY6wicKy70QXSZyoR/WhpJ9SEwr4iodeAjVGsDjPYn5S+/4n+WHqH5IWYvukHU0VCNltRfy4Axwhl28eUW4u7ivQXBchUsaSEdCMFWgJYUteU6mC1myfG9hlbiZybqBbsSfVXVFMUxrtdWrSc926qfwJd1rYSUOJwzhGg0aAa8ngatq2HUDb5KnxKapkwEjm7M7zl4ZsB</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">denis@axonops.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_ed3b8b9d9b6bb14d1e9660ca902a8c0da7708c9e" NotOnOrAfter="2023-06-23T05:45:25.157Z" Recipient="https://ppt2cf-8080.csb.app/login-idp/callback"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2023-06-23T05:35:25.157Z" NotOnOrAfter="2023-06-23T05:45:25.157Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>https://ppt2cf-8080.csb.app/saml/metadata</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2023-06-23T05:40:25.157Z" SessionIndex="2fe7b4b9-36ce-4f47-933d-df071e906e16">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

passport-saml config:

const passport = require("passport");
const passportSaml = require("@node-saml/passport-saml");
const fs = require("fs");

passport.serializeUser((user, done) => done(null, user));

passport.deserializeUser((user, done) => done(null, user));

const strategy = new passportSaml.Strategy(
  {
    entryPoint: "https://sso.jumpcloud.com/saml2/test-app",
    issuer: "https://sso.jumpcloud.com",

    path: "login-idp/callback",
    cert: fs.readFileSync("./certs/cert.pem", "utf-8"),
    privateKey: fs.readFileSync("./certs/private.pem", "utf-8"),

    signatureAlgorithm: "sha256",
    identifierFormat: null,

    // From the metadata document
    audience: "https://ppt2cf-8080.csb.app/saml/metadata",
  },
  (profile, done) => {
    return done(null, profile);
  }
);

passport.use(strategy);

module.exports = {
  passport,
  strategy,
};

app.js

const express = require("express");
const cookieParser = require("cookie-parser");
const session = require("express-session");
const path = require("path");
const bodyParser = require("body-parser");
const { passport: passportConfig } = require("./config/passport");
const router = require("./routes/index");

const app = express();

app.use(
  session({
    secret: "secret",
    resave: false,
    saveUninitialized: true,
    // cookie: { maxAge: 7 * 24 * 60 * 60 * 1000 }, // 7 days
  })
);

app.use(cookieParser());
// app.use(express.static(path.join(__dirname, "public")));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

app.use(passportConfig.initialize());
app.use(passportConfig.session());

app.use(router);

const listener = app.listen(8080, function () {
  console.log("Listening on port " + listener.address().port);
});

routes.js

const express = require("express");
const fs = require("fs");
const bodyParser = require("body-parser");
const { passport, strategy } = require("./../config/passport");

const router = express.Router();

function ensureAuthenticated(req, res, next) {
  if (req.isAuthenticated()) return next();
  // else return res.redirect("/login-idp");
  else
    return res.send(
      `<button onclick="location.pathname='/login-idp'">Login</botton>`
    );
}

router.get("/", ensureAuthenticated, function (req, res) {
  res.send("Authenticated");
});

router.get(
  "/login-idp",
  passport.authenticate("saml", {
    failureFlash: true,
    failureRedirect: "/saml/auth/error",
    // successRedirect: '/saml/auth/success',
  }),
  function (req, res) {
    console.log("==> saml/login callback");
    res.redirect("/");
  }
);

router.post(
  "/login-idp/callback",
  bodyParser.urlencoded({ extended: false }),
  passport.authenticate("saml", {
    failureRedirect: "/login/fail",
    failureFlash: true,
  }),
  function (req, res) {
    console.log("==> login/callback");
    res.redirect("/");
  }
);

router.get("/login/fail", function (req, res) {
  res.status(401).send("Login failed");
});

router.get("/saml/metadata", function (req, res) {
  res.type("application/xml");
  res
    .status(200)
    .send(
      strategy.generateServiceProviderMetadata(
        fs.readFileSync("./certs/cert.pem", "utf8"),
      )
    );
});

module.exports = router;

package.json

{
  "name": "express-example-starter",
  "version": "1.0.0",
  "description": "An Express-based application skeleton",
  "main": "app.js",
  "scripts": {
    "start": "nodemon app.js localhost 8080"
  },
  "dependencies": {
    "@node-saml/passport-saml": "^4.0.4",
    "body-parser": "^1.20.2",
    "cookie-parser": "~1.4.4",
    "debug": "~2.6.9",
    "express": "~4.16.1",
    "express-session": "^1.17.3",
    "morgan": "~1.9.1",
    "passport": "^0.6.0",
    "saml2js": "^0.1.2",
    "samlify": "^2.8.10",
    "useragent": "^2.3.0"
  },
  "devDependencies": {
    "nodemon": "1.18.4"
  },
  "keywords": [
    "expressjs",
    "express"
  ]
}

I use jumploud as an idP

[srd90]

@SkunSHD Your question is duplicate at least all of these:

1. [BUG] When validating the SAML Response, it is assumed that the SAML Response ID attribute is the same as the SAML Assertion ID attribute node-saml#211
2. [BUG] Invalid document signature after upgrading from 2.2.0 to 4.0.1 #816
3. [BUG] After an upgrade from passport-saml to @node-saml/passport-saml, assertion validation stopped working with HTTP-POST binding with an error: SAML.validatePostResponseAsync, Invalid document signature #839
4. Assertion signature is missing in SAML Response when using Google Workspace #852
5. [BUG] Invalid document signature #859
6. Reference id not matching with documentElement id #863

---

See also e.g.:

Adding one more link to this issue's thread (just in case someone lands here with search engine or with github search):
See comment from discussions/671#discussioncomment-5261103 to see how to spot from authnresponse what sort of signatures it has and possibilities to configure @node-saml/passport-saml / @node-saml/node-saml if IdP side configuration management is not an option for you or if you rather modify SP side configuration.

source: #863 (comment)

---

It seems that you posted auth response as-is without any modifications. Doing so might open up some attack vectors see this: #816 (comment)

---

TL;DR; you are using @node-saml/passport-saml's (@node-saml/node-saml's) default configuration which is "response level signature and assertion signature are required" but your IdP is signing only assertion. Further information from issues linked above.

[srd90]

forgot to mention:
Next major release ( => 5.0.0 ) of passport-saml/node-saml combination shall remove support for this (path configuration option):

path: "login-idp/callback",

source of the quote: your passport-saml configuration

Consider start using configuration option callbackUrl.
Additional information from: node-saml/node-saml#214 (although this breaking change won't go unnoticed very easily due to this: node-saml/node-saml#214 (review) and click "Show resolved")

[dangtony98]

Hmm I've just stumbled into this issue myself as I'm trying to use this module for SAML with JumpCloud as the IdP. @SkunSHD were you able to resolve this issue?

From my preliminary glance, it doesn't look like response level signature is enforced as part of JumpCloud IdP (you can see in the above screenshot as well that there is only an option to check Sign Assertion). How would you recommend going about this with passport-saml? @srd90

[srd90]

@dangtony98 See this: #863 (comment) (especially part that links to this comment at somewhat unrelated discussion #671 (reply in thread) )

I do not make recommendations. You have to know your use cases and effects of SAML configuration choises and SAML protocol before adding support for SAML to your production envinronment (having said that look also this: #852 (comment) )

---

fwiw1: wiki page seems to be updated to contain link to ”signature option selection algorithm” https://github.com/node-saml/passport-saml/wiki/Common-Issues

fwiw2: @dangtony98 your GH profile leads to project that has issue about adding generic SAML support in order to provide wide support for various IdPs at enterprise environments. If you are asking these passport-saml questions due to that issue be aware that support for single logout is quite common expectation. You shall NOT get that support out of the box from passport-saml (see #419 ). This is not the correct place /issue/discussion to continue about this … just used this comment as a way to make you aware of this ”next issue in a series of issues you might run in to while adding and testing your SAML support”.