
Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SAML assertion was not signed properly with any of the certificates provided in the IdP metadata
Last Update:
Feb 23, 2021 4:09:58 AM
Updated By:
Created date:
Jun 23, 2018 5:16:57 AM
When trying to authenticate with SAML, Error 400 Bad request is displayed in the browser.
When looking into the Qlik Sense Proxy (Trace/Audit_proxy) the following WARN message: SAML assertion was not signed properly with any of the certificates provided in the IdP metadata
Looking at the SAML response and at the IDP metadata, we can, however, see that the same certificate is used for signing.
Environments:
- Qlik Sense Enterprise 3.0 to versions prior to February 2020
Resolution:
This has been resolved in the February 2020 release.
Cause:
Caused by QLIK-89285.
Due to a known issue in the third party library used to implement SAML in Qlik Sense (ComponentSpace v2.6.10.0), Qlik Sense will not be able to validate a SAML response if it does not contain the following:
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi" /> </ds:Transforms>
Below is an example of response that will NOT validate correctly in Qlik Sense:
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_1e1ed6a7c84fb5787ff829b0ba7a23b4"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </ds:Transforms>
In order for the above to validate correctly, it will need to be altered in the following way:
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_1e1ed6a7c84fb5787ff829b0ba7a23b4"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi" /> </ds:Transforms>
- Most of third-party SAML providers include this tag so it should not be much of a concern in the case you use one of those SAML IDP.
- However, if you have built your own SAML IDP, you must be aware of this and generate the SAML Response with the tag in it.
2,083 Views