Error: Invalid signature at SAML.validatePostResponseAsyn

[feemia]

I use saml like this , and also saml Response
version "@node-saml/passport-saml": "^4.0.4",

passport.use(new SamlStrategy(
{
	entryPoint: 'https://adfs.test.com/adfs/ls',
	callbackUrl: host + '/login/callback',
	issuer:'web',
	privateKey:fs.readFileSync('sslcert/web.key', 'utf8'),
	cert:fs.readFileSync('sslcert/web.cert', 'utf8'),
	signatureAlgorithm: "sha256",
	identifierFormat: null,
    },
  function(profile, done) {   
      return done(null, profile);
  }
));

`<samlp:Response 
    ID="_81fbf105-c6fe-41b7-a88d-09328ac95a51" 
    Version="2.0" 
    IssueInstant="2023-08-28T09:12:16.277Z" 
    Destination="https://localhost:8080/login/callback" 
    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
    InResponseTo="_0ae81f32f72a751d4c7f3487ae8741d3dbd96398" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer 
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.test.com
    </Issuer>
    <samlp:Status>
        <samlp:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion 
        ID="_472767b5-ba06-46d3-b77e-1d1468e01f98" 
        IssueInstant="2023-08-28T09:12:16.277Z" 
        Version="2.0" 
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>http://adfs.test.com</Issuer>
        <ds:Signature 
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod 
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod 
                    Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference 
                    URI="#_472767b5-ba06-46d3-b77e-1d1468e01f98">
                    <ds:Transforms>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod 
                        Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>
                        qgvSUBMnqFGTkZK1tJdmxLTA1D7XCedR3nysUOeCgOU=
                    </ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>GXwL6cnDWPf....................................................EWfjGpToJ2i7Hjkjkjkj
                MZ0A==
            </ds:SignatureValue>
            <KeyInfo 
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>ERlMgU2lnbfxaDAfITwRPYYpbl..................................+1L+gdY/ilIhhLsCPx4aWO+At1SIgMgqIs6</ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <NameID>user.name@test.com</NameID>
            <SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData 
                    InResponseTo="_0ae81f32f72a751d4c7f3487ae8741d3dbd96398" 
                    NotOnOrAfter="2023-08-28T09:17:16.277Z" 
                    Recipient="https://localhost:8080/login/callback" />
            </SubjectConfirmation>
        </Subject>
        <Conditions 
            NotBefore="2023-08-28T09:12:16.277Z" 
            NotOnOrAfter="2023-08-28T10:12:16.277Z">
            <AudienceRestriction>
                <Audience>web</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
                <AttributeValue>user.name@test.com</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>User  name</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>user.name@test.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement 
            AuthnInstant="2023-08-28T09:12:16.182Z" 
            SessionIndex="_472767b5-ba06-46d3-b77e-1d1468e01f98">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>
`

but get error after click login

Error: Invalid signature
at SAML.validatePostResponseAsync (C:\Web\node_modules@node-saml\node-saml\lib\saml.js:522:27)

I've already try to use these config (wantAuthnResponseSigned: false,wantAssertionsSigned: false) but still no change

plz help me how can I solve this issue

[cjbarth]

Did you check the signature at samltool.com?

[feemia]

[srd90]

These values at @feemia 's configuration could mean that @feemia is using SP's certificate as a value for cert (which sould have IdP's certificate).

  ...
  issuer:'web',
  privateKey:fs.readFileSync('sslcert/web.key', 'utf8'),
  cert:fs.readFileSync('sslcert/web.cert', 'utf8'),
  ...

I.e. it sure looks based on naming that sslcert/web.cert's matching key would be sslcert/web.key's.

See: https://github.com/node-saml/passport-saml/blob/v4.0.4/README.md#core

• cert: the IDP's public signing certificate used to validate the signatures of the incoming SAML Responses...

[feemia]

I've asked admin about this , he gave me the new cer file
privateKey:fs.readFileSync('sslcert/urn_webview.key', 'utf8'),
cert:fs.readFileSync('sslcert/asigning.cer', 'utf8'),

no error, but he said, there isn't any request on server side

this is saml response
<samlp:Response ID="_7474d3dd-6399-4fb0-82e2-be979abc66df" Version="2.0" IssueInstant="2023-08-29T05:55:22.318Z" Destination="https://localhost:8084/login/callback" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_a2625ff1f5d2df6538c69c583731aeea80348145" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.test.com/adfs/services/trust </Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="_de6e2a00-bb31-4059-bbbf-747015223dcc" IssueInstant="2023-08-29T05:55:22.318Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer>http://adfs.test.com/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_de6e2a00-bb31-4059-bbbf-747015223dcc"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>MFn0Nokqi+WrFfFioR5Tk96vOsduEtpsyiTRHA/m+ xI= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Hu..............................................sJbtHvKa23ff+ Jmzg== </ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MI.....................Wjhjhj</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID>User.name@test.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_a2625ff1f5d2df6538c69c583731aeea80348145" NotOnOrAfter="2023-08-29T06:00:22.318Z" Recipient="https://localhost:8080/login/callback" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2023-08-29T05:55:22.318Z" NotOnOrAfter="2023-08-29T06:55:22.318Z"> <AudienceRestriction> <Audience>web</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"> <AttributeValue>User.name@test.com</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> <AttributeValue>username </AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>User.name@test.com</AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2023-08-29T05:23:25.562Z" SessionIndex="_de6e2a00-bb31-4059-bbbf-747015223dcc"> <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>

[feemia]

how about key, no need to change that also ?

[feemia]

Also the new one cert 's value similar to value inside of this tag ds:X509Datads:X509Certificate in Saml response, is that ok ?

[srd90]

how about key, no need to change that also ?

If you have leaked that key (e.g. by posting it to e.g. samltool) and you are going to use it also at production then definitely yes. Keep in mind that it is used to sign request sent by SP to IdP so if you change it you must provide/provision SP's certificate to IdP.

Consider reading: https://github.com/node-saml/passport-saml/blob/v4.0.4/README.md#core privateKey and https://github.com/node-saml/passport-saml/blob/v4.0.4/README.md#security-and-signatures

If you are not familiar with concept of public key cryptography and PKI use your favourite search engine to find more information.

Also the new one cert 's value similar to value inside of this tag ds:X509Datads:X509Certificate in Saml response, is that ok ?

You find all the answers regarding SAML 2.0 from these documents:

1. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
   OASIS Standard, 15 March 2005
   https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
2. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0
   OASIS Standard, 15 March 2005
   https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
3. Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0
   OASIS Standard, 15 March 2005
   https://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
4. https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html