Solved: SAML Digital Signature check fails on Apigee-gener...

kirill-ageev · 10-31-2017 05:02 AM

Hello,

I configured SAML Generation and Validation policies.

When they are joined one after another in proxy flow, the signature check is ok.

Also, when I generate SAML Assertion from SOAP UI, it also passes the signature check on Validation flow.

The error appears when I try to generate and then copy and send what Apigee has generated to validation endpoint, I'm getting "Digital Signature Validation Failed". What could be the cause of such behavior?

Note that I don't modify the response with Assertion in any way, just copy and paste.

Request from SOAP UI can be copied and validated successfully, seems that only apigee-generated is affected.

kirill-ageev

After spending a day trying to figure out what is wrong, I finally found the culprit - it was the Postman. In response it formatted XML to pretty print, which should be disabled.

Also when I copied from Trace tool, there were no newlines at all, which is also wrong.

XML signature is sensitive to all whitespaces and line endings, so the message should be preserved as-is.

Wrong:

Correct:

View solution in original post

kirill-ageev

Looks like Apigee doesn't generate WS-Security token, while Soap UI does. But then again, it doesn't explain this issue.

kirill-ageev

After spending a day trying to figure out what is wrong, I finally found the culprit - it was the Postman. In response it formatted XML to pretty print, which should be disabled.

Also when I copied from Trace tool, there were no newlines at all, which is also wrong.

XML signature is sensitive to all whitespaces and line endings, so the message should be preserved as-is.

Wrong:

Correct:

Report Inappropriate Content

can you please elaborate I am still stuck in Digital Signature Validation Failed

rm11

Hi KirillAgeev,

Could you letme know how resolve this issue.

SAML Digital Signature check fails on Apigee-generated assertion. Bug in Apigee?