I have configured ADFS connection with a client but when i am trying to login it is giving me error.
Signature is missing (xpath: /[local-name(.)=‘Assertion’]/[local-name(.)=‘Signature’ and namespace-uri(.)=‘XML-Signature Syntax and Processing’])",
can you please check
@jmangelo can you help me with this
When using an ADFS connection the ADFS instance will response with a SAML assertion that will be processed by the Auth0 service; from the error message it seems that assertion is missing the signature, however, it would be better to confirm what is actually returned.
You should be able to use the browser network tools to see the HTTP responses after completing the login in ADFS; one of those responses should contain a SAML assertion so it may be useful to share it here after redacting personal information.
Hello! I am having the exact same problem and the ADFS server does not send back any signature.
However it does not send an assertion either. It sends back a <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
which seems just fine.
Is there any configuration I should modify to have it working ?
Thanks
Usually within that response a SAML assertion (security token) would be present; what’s the contents of that response? Can you share a redacted version?
The content of what is sent to our callback ( https://ourdomain.eu.auth0.com/login/callback?connection=cnx) as Form data looks like :
<?xml version="1.0" encoding="UTF-8"?>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2020-01-21T08:34:53.375Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2020-01-21T09:34:53.375Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>urn:auth0:digital-mediameeting</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=digital-mediameeting.eu.auth0.com</X509IssuerName>
<X509SerialNumber>2152784060097880944993</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>XXXX</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>XXXXXX</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>
Per (Connect Your App to ADFS) of our reference documentation we seem to instruct not to use encryption when configuring an ADFS connection and that response contains an encrypted security token. I confess I’m unsure if the reference docs are just a default option or if encryption is not supported at all for this connection type.
A possible test would be to configure ADFS to not send an encrypted response and see if the outcome changes.
1 Like
OK, thanks for the quick reply. I will try to reconfigure the ADFS without encryption.
Can we enable encryption for ADFS connection
1 Like
I confess I’m not sure if the ADFS connection supports encryption and I don’t have a readily available environment to try to test this. However, what I can say is if you have an ADFS instance and strictly need encryption of the returned assumptions you can always consider to use a SAML connection to integrate with the ADFS instance as encryption would be supported for SAML connections.