I'm attempting to setup a SAML2 external IDP to access an application
protected by NAM (we're on a really old version 3.1.4). The assertion
comes in from the IDP with the digital signature but I get an error in
the log saying that "Validation failure on message from
https://app.onelogin.com/saml/metadata/437394 : Digital signature is
required". Not sure what is causing the error. Below is a snippet from
the log file. Any ideas or suggestions on how to solve this would be
greatly appreciated. Thanks


Code:
--------------------
<amLogEntry seq="13087" d="2015-04-02T16:25:27Z" lg="SAML2" lv="DEBUG" th="28" ><msg>Method: SAML2Profile.traceMessage
************************* SAML2 POST message ********************************
&lt;samlp:Response xmlns:saml=&quot;urnasis:names:tc:SAML:2.0:assertion&quot; xmlns:samlp=&quot;urnasis:names:tc:SAML:2.0rotocol&quot; ID=&quot;pfx0514fff4-61b2-9267-d50a-fee9bef0056b&quot; Version=&quot;2.0&quot; IssueInstant=&quot;2015-04-02T16:25:23Z&quot; Destination=&quot;https://uatids.wponet.com/nidp/saml2...consumer&quot; InResponseTo=&quot;idmffZ0UjRz2LWaB0qGUssyfLh6lE&q uot;&gt;&lt;saml:Issuer&gt;http://tinyurl.com/pwhbbbb xmlns:ds=&quot;http://tinyurl.com/6r32d8 Algorithm=&quot;http://tinyurl.com/997mq2a Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rs...t;ds:Reference URI=&quot;#pfx0514fff4-61b2-9267-d50a-fee9bef0056b&quot;&gt;&lt;ds:Transforms&gt;&lt;ds: Transform Algorithm=&quot;http://tinyurl.com/6r32d8 Algorithm=&quot;http://tinyurl.com/997mq2a Algorithm=&quot;http://tinyurl.com/6r32d8 Value=&quot;urnasis:names:tc:SAML:2.0:status:Success&quot;/&gt;&lt;/samlp:Status&gt;&lt;saml:Assertion xmlns:saml=&quot;urnasis:names:tc:SAML:2.0:assertion&quot; xmlns:xs=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; Version=&quot;2.0&quot; ID=&quot;A77afba1c24b98a9e1259ace53a32336f49f6418c &quot; IssueInstant=&quot;2015-04-02T16:25:23Z&quot;&gt;&lt;saml:Issuer&gt;http://tinyurl.com/ky6xms9 Format=&quot;urnasis:names:tc:SAML:1.1:nameid-format:emailAddress&quot;&gt;P000250691&lt;/saml:NameID&gt;&lt;saml:SubjectConfirmation Method=&quot;urnasis:names:tc:SAML:2.0:cm:bearer&quot;&gt;&lt;saml :SubjectConfirmationData NotOnOrAfter=&quot;2015-04-02T16:28:23Z&quot; Recipient=&quot;https://uatids.wponet.com/nidp/saml2...consumer&quot; InResponseTo=&quot;idmffZ0UjRz2LWaB0qGUssyfLh6lE&q uot;/&gt;&lt;/saml:SubjectConfirmation&gt;&lt;/saml:Subject&gt;&lt;saml:Conditions NotBefore=&quot;2015-04-02T16:22:23Z&quot; NotOnOrAfter=&quot;2015-04-02T16:28:23Z&quot;&gt;&lt;saml:AudienceRestriction &gt;&lt;saml:Audience&gt;http://tinyurl.com/mv6v8nt AuthnInstant=&quot;2015-04-02T16:25:22Z&quot; SessionNotOnOrAfter=&quot;2015-04-03T16:25:23Z&quot; SessionIndex=&quot;_c652adf0-bb82-0132-3be6-38ca3a662f1c&quot;&gt;&lt;saml:AuthnContext&gt;&lt ;saml:AuthnContextClassRef&gt;urnasis:names:tc:SAML:2.0:ac:classes:PasswordProtecte dTransport&lt;/saml:AuthnContextClassRef&gt;&lt;/saml:AuthnContext&gt;&lt;/saml:AuthnStatement&gt;&lt;/saml:Assertion&gt;&lt;/samlp:Response&gt;
************************* End SAML2 message ****************************</msg></amLogEntry>
<amLogEntry seq="13088" d="2015-04-02T16:25:27Z" lg="SAML2" lv="DEBUG" th="28" ><msg>Method: SAML2AuthnContext.parse
<amLogEntry seq="13089" d="2015-04-02T16:25:27Z" lg="SAML2" lv="DEBUG" th="28" ><msg>Method: SAML2Profile.validatePreBrokering
Processing artifact for pre-brokering, provider= https://app.onelogin.com/saml/metadata/437394 and relayState = MA==</msg></amLogEntry>
<amLogEntry seq="13090" d="2015-04-02T16:25:27Z" lg="SAML2" lv="DEBUG" th="28" ><msg>Method: SAML2Profile.validatePreBrokering
<amLogEntry seq="13091" d="2015-04-02T16:25:27Z" lg="IDFF" lv="INFO" th="28" ids="AM#500106006: AMDEVICEID#E65CCAEB01261AC5: " ><msg>Validation failure on message from https://app.onelogin.com/saml/metadata/437394 : Digital signature is required</msg></amLogEntry>
<amLogEntry seq="13092" d="2015-04-02T16:25:27Z" lg="SAML2" lv="WARNING" th="28" ><msg>Exception message: &quot;NIDPLOGGING.300101017&quot;
SAML2Assertion.java, Line: 301, Method: validate
SAML2AuthenticationHandler.java, Line: 150, Method: verifyResponse
SAML2SSOProfile.java, Line: 519, Method: processResponse
SAML2SSOProfile.java, Line: 492, Method: processResponse
SAML2Profile.java, Line: 290, Method: handleInBoundMessage
SAML2SSOProfile.java, Line: 474, Method: processResponse
SAML2Handler.java, Line: 544, Method: handleSSO
SAML2Handler.java, Line: 239, Method: handleRequest
SAML2MeDescriptor.java, Line: 600, Method: handleRequest
CMD: /saml2, assertion_consumer: 4
CMD: /saml2, metadata: 2
CMD: /saml2, sso: 2
--------------------


--
mm977g
------------------------------------------------------------------------
mm977g's Profile: https://forums.netiq.com/member.php?userid=4811
View this thread: https://forums.netiq.com/showthread.php?t=53249