Hi All,

Setting up a standard SAML 2.0 connection for an SP with NAM 4.2.1.0.29.


When I hit the SP URL and get redirected to the IDP, I see the
AuthnRequest, followed by an error on the IDP side: Warning: Invalid
resource key: Signature encoding error. No prefix!

I've tried a few different nameID settings based on an article I found
(which was very loosely linked to this issue); this didn't do anything.
Any ideas on where I might find more information/log on this error?
Anyone run into this before?

Samples of authnRequest and response below (any identifying details
removed and replaced with <snip>):

Code:
--------------------
************************* SAML2 Redirect message ********************************

Type: received
RelayState: None
<samlp:AuthnRequest AssertionConsumerServiceURL='https://abc.com/api/v1/users/saml' Destination='https://<snip>/nidp/saml2/sso' ID='_49399319-ab07-4b9d-b11c-cf189e7ec80e' IssueInstant='2016-10-12T02:26:53Z' Version='2.0' xmlns:saml='urnasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urnasis:names:tc:SAML:2.0rotocol'><saml:Issuer>https://<snip>/api/v1/users/saml_metadata/2f0f8a64-06a8-41f5-8e58-c39ffe53dbfe</saml:Issuer></samlp:AuthnRequest>
************************* End SAML2 message ****************************

************************* SAML2 POST message ********************************

Type: sent
Sent to: https://<snip>/api/v1/users/saml RelayState: None
<samlp:Response xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol" xmlns:saml="urnasis:names:tc:SAML:2.0:assertion" Destination="https://<snip>/api/v1/users/saml" ID="id452ZJ3QW2loI5L07EJsjXR-nVA0" InResponseTo="_49399319-ab07-4b9d-b11c-cf189e7ec80e" IssueInstant="2016-10-12T02:26:54Z" Version="2.0"><saml:Issuer>https://<snip>/nidp/saml2/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id452ZJ3QW2loI5L07EJsjXR-nVA0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<dsigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsigestValue>09DU6OdJrQGInBI9xiIyIHbopkc=</dsigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
<snip>
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
<snip>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature><samlp:Status><samlp:StatusCode Value="urnasis:names:tc:SAML:2.0:status:Responder"><samlp:St atusCode Value="urnasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:Response>
************************* End SAML2 message ****************************
--------------------



Thanks,

Glen.


--
gwickert
------------------------------------------------------------------------
gwickert's Profile: https://forums.netiq.com/member.php?userid=8224
View this thread: https://forums.netiq.com/showthread.php?t=56688