SAML Validation

Not applicable

Hi All, we are facing an issue during the SAML validation. Getting the following error :

{"fault":{"faultstring":"ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation","detail":{"errorcode":"steps.saml.ERROR_VALIDATING_SIGNATURE"}}}

I have attached the API Proxy that we are using, inside there is a javascript policy that contains the SAML Assertion (innested into the code just for speed-up the test).

Someone that had the same error can suggest how to proceed?

Thank you

Cosimo

1 16 1,699
16 REPLIES 16

@Cosimo, can you give us an example call? Looks like at least the assertion needs to be provided in the call.

can you share the cert you use for validation?

Former Community Member
Not applicable

Hi @Cosimo wanted to make sure that since you are trying to validate an assertion (leveraging Apigee as the SAML SP) that you have uploaded the cert to the trust store? Here is a good writeup of how to do that.

Not applicable

Hi prithpal thank for your suggestion. I am actually trying to use WSO2 as IDS so i have a saml assertion generated there and i want to validate it into apigee with an API Proxy.

Former Community Member
Not applicable

Yes, I meant leveraging Apigee as the SP (Service Provider). Let me know if you are able to get further along after uploading the cert.

Not applicable

Hi actually we have to use WSO2 as identity provider and we uploaded the certificate of our WSO2 IDS.

The problem now is during validation of SAML Assertiion that we receive on our API Proxy trace flow the error

{"fault":{"faultstring":"ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation","detail":{"errorcode":"steps.saml.ERROR_VALIDATING_SIGNATURE"}}}.

Follows the cert.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertsInfo> <CertInfo> <ExpiryDate>Fri, 28 Feb 2025 00:59:59 CET</ExpiryDate> <Issuer>CN=mlv_ca.ams.accenture.com, OU=mlv_ca.ams.accenture, O=mlv_ca.ams, L=Rome, ST=IT, C=IT</Issuer> <Subject>CN=mlv1.ams.accenture.com, OU=mlv1.ams.accenture, O=mlv1.ams, L=Rome, ST=IT, C=IT</Subject> <SubjectAlternativeNames/> <isValid>Yes</isValid> <ValidFrom>Tue, 03 Mar 2015 01:00:00 CET</ValidFrom> <Version>3</Version> </CertInfo> <Name>dcppTruststore</Name> </CertsInfo>

Please let me know any suggestion.

Thank you

Cosimo

Former Community Member
Not applicable

Hi @Cosimo, can you test your proxy with a SAML assertion that is sent as a form post. In your sample you are populating the request.body variable directly in javascript policy. Maybe use something like POSTMAN to test it out.

Also review the SAML Assertion policy to make sure you specify the XPATH (inside the source) correctly. Would be great if you can upload any trace tool screen shots.

Not applicable

Hi @Prithpal Bhogill

please see attached the SAML Assertion and the API Proxy configured for receiving the SAML Assertion in input as POST request. We get the same error. Please let me know your thought, aprreciate your feedback. Cosimo

Not applicable

@Prithpal Bhogill any suggestion? Thanks

Not applicable

Hi Everyone, Am also facing the similar issue. I have trust store configured which have list of Telstra chain cert like this.

Keystore vhost_truststore_client

Truststore Telstra_CA_Chain.p7b

Telstra AD Object CA1

Telstra Policy CA1

Telstra Root CAtrace.txtsamlassertion.txt

But still am getting the ERROR_VALIDATING_SIGNATURE. I want to know how does this validation is working. Do I need to have the particular X509 cert configured in my trust store as well? Or only Telstra root cert chain will suffice.

Am attaching the Apigee trace log and SAMLassertion here for my request.

any resolution found on this?

ask a new question pls. you are posting this question as an "Answer".

Not applicable

anyone found solution to this please explain

ask a new question pls.

Not applicable

I am also struck with this issue. In my case, I had to create a Java callout policy to decode the base64 SAML and then pass it on to SAML Validation policy. Even though the certificate in truststore matches with the one that is sent in Assertion, I am still getting "Digital Signature Validation Failed/

ask a new question pls.