[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Working with PingFederate (Was: Re: zxid and shared/distributed filesystems?)



Eric Rybski wrote:
>    I'm having an issue getting digital signature validation
> working with a PingFederate IdP instance.  The PF IdP metadata (cached in
> my
> cot/) includes a certificate, the POST SAMLResponse contains a signature,
> and I have the IdP CA cert in my /var/zxid/pem/ca.pem. But I keep getting
> errors like:
>
> t  zxidsso.c:559 zxid_sp_sso_finalize zx E SSO warn: assertion not signed.
> Sigval((null)) (nil)

Checked your attachments. The assertion really is not signed.

The SAML spec is unambiguous: if in metadata
SPSSODescriptor/@WantAssertionsSigned is true, then
the IdP MUST sign the Assertion.

I ship ZXID with WANT_SSO_A7N_SIGNED=1, so unless you have changed
this setting, it would appear that PingFederate is not honouring
this part of the metadata.

Please check this.

> I've currently worked around this by setting "NOSIG_FATAL=0" in the
> zxid.conf, but this isn't a long-term solution.

> Overall, other than the above mentioned issues, the library is
> working OK so far with a PingFederate IdP and perfectly with
> ssocircle.com.

I once had a thread about shipping the ssocircle IdP metadata
with ZXID, but somehow it never happened. Can you share
the ssocircle metadata with me (or the list)?

Cheers,
--Sampo

> Thanks,
> Eric