Hi All, we are facing an issue during the SAML validation. Getting the following error :
{"fault":{"faultstring":"ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation","detail":{"errorcode":"steps.saml.ERROR_VALIDATING_SIGNATURE"}}}
I have attached the API Proxy that we are using, inside there is a javascript policy that contains the SAML Assertion (innested into the code just for speed-up the test).
Someone that had the same error can suggest how to proceed?
Thank you
Cosimo
@Cosimo, can you give us an example call? Looks like at least the assertion needs to be provided in the call.
Answer by pbhogill · Jun 23, 2015 at 11:32 PM
Hi @Cosimo wanted to make sure that since you are trying to validate an assertion (leveraging Apigee as the SAML SP) that you have uploaded the cert to the trust store? Here is a good writeup of how to do that.
Answer by Cosimo · Jun 24, 2015 at 12:49 PM
Hi prithpal thank for your suggestion. I am actually trying to use WSO2 as IDS so i have a saml assertion generated there and i want to validate it into apigee with an API Proxy.
Yes, I meant leveraging Apigee as the SP (Service Provider). Let me know if you are able to get further along after uploading the cert.
Answer by Cosimo · Jun 24, 2015 at 06:02 PM
Hi actually we have to use WSO2 as identity provider and we uploaded the certificate of our WSO2 IDS.
The problem now is during validation of SAML Assertiion that we receive on our API Proxy trace flow the error
{"fault":{"faultstring":"ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation","detail":{"errorcode":"steps.saml.ERROR_VALIDATING_SIGNATURE"}}}.
Follows the cert.
Fri, 28 Feb 2025 00:59:59 CET CN= mlv_ca.ams.accenture.com, OU=mlv_ca.ams.accenture, O=mlv_ca.ams, L=Rome, ST=IT, C=IT CN= mlv1.ams.accenture.com, OU=mlv1.ams.accenture, O=mlv1.ams, L=Rome, ST=IT, C=IT Yes Tue, 03 Mar 2015 01:00:00 CET 3 dcppTruststore
Please let me know any suggestion.
Thank you
Cosimo
Hi @Cosimo, can you test your proxy with a SAML assertion that is sent as a form post. In your sample you are populating the request.body variable directly in javascript policy. Maybe use something like POSTMAN to test it out.
Also review the SAML Assertion policy to make sure you specify the XPATH (inside the source) correctly. Would be great if you can upload any trace tool screen shots.
Answer by Cosimo · Jun 25, 2015 at 10:13 AM
please see attached the SAML Assertion and the API Proxy configured for receiving the SAML Assertion in input as POST request. We get the same error. Please let me know your thought, aprreciate your feedback. Cosimo
Answer by Harshit · Feb 01, 2017 at 01:46 AM
Hi Everyone, Am also facing the similar issue. I have trust store configured which have list of Telstra chain cert like this.
Keystore vhost_truststore_client
Truststore Telstra_CA_Chain.p7b
Telstra AD Object CA1
Telstra Policy CA1
Telstra Root CAtrace.txtsamlassertion.txt
But still am getting the ERROR_VALIDATING_SIGNATURE. I want to know how does this validation is working. Do I need to have the particular X509 cert configured in my trust store as well? Or only Telstra root cert chain will suffice.
Am attaching the Apigee trace log and SAMLassertion here for my request.
ask a new question pls. you are posting this question as an "Answer".
Answer by karthik Nagarajan · Oct 08, 2018 at 10:55 PM
I am also struck with this issue. In my case, I had to create a Java callout policy to decode the base64 SAML and then pass it on to SAML Validation policy. Even though the certificate in truststore matches with the one that is sent in Assertion, I am still getting "Digital Signature Validation Failed/
How to use Edge in combination with SAML tokens 3 Answers
How to work with SAML? 0 Answers
SAML Validation - No key value found 4 Answers
Error fetching keystores 2 Answers