{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
1
Question by Cosimo · Jun 23, 2015 at 03:29 PM · 1k Views saml

SAML Validation

Hi All, we are facing an issue during the SAML validation. Getting the following error :

{"fault":{"faultstring":"ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation","detail":{"errorcode":"steps.saml.ERROR_VALIDATING_SIGNATURE"}}}

I have attached the API Proxy that we are using, inside there is a javascript policy that contains the SAML Assertion (innested into the code just for speed-up the test).

Someone that had the same error can suggest how to proceed?

Thank you

Cosimo

apisamlvalidate-1-rev4-2015-06-231.zip (8.5 kB)
Comment
Add comment Show 2
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Mike Dunker ♦♦   · Jun 23, 2015 at 04:15 PM 0
Link

@Cosimo, can you give us an example call? Looks like at least the assertion needs to be provided in the call.

avatar image gnanasekaran ♦ · Jun 23, 2015 at 11:20 PM 0
Link

can you share the cert you use for validation?

Close

8 Answers

  • Sort: 
avatar image
0

Answer by pbhogill · Jun 23, 2015 at 11:32 PM

Hi @Cosimo wanted to make sure that since you are trying to validate an assertion (leveraging Apigee as the SAML SP) that you have uploaded the cert to the trust store? Here is a good writeup of how to do that.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Cosimo · Jun 24, 2015 at 12:49 PM

Hi prithpal thank for your suggestion. I am actually trying to use WSO2 as IDS so i have a saml assertion generated there and i want to validate it into apigee with an API Proxy.

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image pbhogill ♦ · Jun 24, 2015 at 04:12 PM 0
Link

Yes, I meant leveraging Apigee as the SP (Service Provider). Let me know if you are able to get further along after uploading the cert.

avatar image
0

Answer by Cosimo · Jun 24, 2015 at 06:02 PM

Hi actually we have to use WSO2 as identity provider and we uploaded the certificate of our WSO2 IDS.

The problem now is during validation of SAML Assertiion that we receive on our API Proxy trace flow the error

{"fault":{"faultstring":"ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation","detail":{"errorcode":"steps.saml.ERROR_VALIDATING_SIGNATURE"}}}.

Follows the cert.

Fri, 28 Feb 2025 00:59:59 CET CN= mlv_ca.ams.accenture.com, OU=mlv_ca.ams.accenture, O=mlv_ca.ams, L=Rome, ST=IT, C=IT CN= mlv1.ams.accenture.com, OU=mlv1.ams.accenture, O=mlv1.ams, L=Rome, ST=IT, C=IT Yes Tue, 03 Mar 2015 01:00:00 CET 3 dcppTruststore

Please let me know any suggestion.

Thank you

Cosimo

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image pbhogill ♦ · Jun 24, 2015 at 06:38 PM 0
Link

Hi @Cosimo, can you test your proxy with a SAML assertion that is sent as a form post. In your sample you are populating the request.body variable directly in javascript policy. Maybe use something like POSTMAN to test it out.

Also review the SAML Assertion policy to make sure you specify the XPATH (inside the source) correctly. Would be great if you can upload any trace tool screen shots.

avatar image
0

Answer by Cosimo · Jun 25, 2015 at 10:13 AM

Hi @Prithpal Bhogill

please see attached the SAML Assertion and the API Proxy configured for receiving the SAML Assertion in input as POST request. We get the same error. Please let me know your thought, aprreciate your feedback. Cosimo


saml-assertion-and-api-proxy.zip (46.2 kB)
Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Cosimo · Jun 30, 2015 at 08:32 AM

@Prithpal Bhogill any suggestion? Thanks

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Harshit · Feb 01, 2017 at 01:46 AM

Hi Everyone, Am also facing the similar issue. I have trust store configured which have list of Telstra chain cert like this.

Keystore vhost_truststore_client

Truststore Telstra_CA_Chain.p7b

Telstra AD Object CA1

Telstra Policy CA1

Telstra Root CAtrace.txtsamlassertion.txt

But still am getting the ERROR_VALIDATING_SIGNATURE. I want to know how does this validation is working. Do I need to have the particular X509 cert configured in my trust store as well? Or only Telstra root cert chain will suffice.

Am attaching the Apigee trace log and SAMLassertion here for my request.


trace.txt (23.5 kB)
samlassertion.txt (4.2 kB)
Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image smenon2 · Jul 06, 2017 at 06:35 PM 0
Link

any resolution found on this?

avatar image Dino-at-Google ♦♦   · Oct 08, 2018 at 11:46 PM 0
Link

ask a new question pls. you are posting this question as an "Answer".

avatar image
0

Answer by Arjun Singh · Aug 31, 2018 at 08:52 AM

anyone found solution to this please explain

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Dino-at-Google ♦♦   · Oct 08, 2018 at 11:46 PM 0
Link

ask a new question pls.

avatar image
0

Answer by karthik Nagarajan · Oct 08, 2018 at 10:55 PM

I am also struck with this issue. In my case, I had to create a Java callout policy to decode the base64 SAML and then pass it on to SAML Validation policy. Even though the certificate in truststore matches with the one that is sent in Assertion, I am still getting "Digital Signature Validation Failed/

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Dino-at-Google ♦♦   · Oct 08, 2018 at 11:46 PM 0
Link

ask a new question pls.

Follow this Question

Answers Answers and Comments

28 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

How to use Edge in combination with SAML tokens 3 Answers

How to work with SAML? 0 Answers

Failure to Get Saml_Token In Order to Configure Plugin That Will Tell Us Whether Or Not Our Service is Working-Saml_token Is Needed I 0 Answers

SAML Validation - No key value found 4 Answers

Error fetching keystores 2 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2019 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Members
  • Badges