Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

SAML assertion was not signed properly with any of the certificates provided in the IdP metadata

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Damien_Villaret
Support
Support

SAML assertion was not signed properly with any of the certificates provided in the IdP metadata

Last Update:

Feb 23, 2021 4:09:58 AM

Updated By:

Sonja_Bauernfeind

Created date:

Jun 23, 2018 5:16:57 AM

When trying to authenticate with SAML, Error 400 Bad request is displayed in the browser.
When looking into the Qlik Sense Proxy (Trace/Audit_proxy) the following WARN message: SAML assertion was not signed properly with any of the certificates provided in the IdP metadata

Looking at the SAML response and at the IDP metadata, we can, however, see that the same certificate is used for signing.


Environments:

  • Qlik Sense Enterprise 3.0 to versions prior to February 2020

 

Resolution:

 

This has been resolved in the February 2020 release. 

 

Cause:

 

Caused by QLIK-89285.

Due to a known issue in the third party library used to implement SAML in Qlik Sense (ComponentSpace v2.6.10.0), Qlik Sense will not be able to validate a SAML response if it does not contain the following:
 
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi" />
</ds:Transforms>

Below is an example of response that will NOT validate correctly in Qlik Sense:
 
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1e1ed6a7c84fb5787ff829b0ba7a23b4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>

In order for the above to validate correctly, it will need to be altered in the following way:
 
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1e1ed6a7c84fb5787ff829b0ba7a23b4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi" />
</ds:Transforms>
  • Most of third-party SAML providers include this tag so it should not be much of a concern in the case you use one of those SAML IDP.
  • However, if you have built your own SAML IDP, you must be aware of this and generate the SAML Response with the tag in it.
Labels (1)
Contributors
Version history
Last update:
‎2021-02-23 04:09 AM
Updated by: