[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Working with PingFederate (Was: Re: zxid and shared/distributed filesystems?)
Eric Rybski wrote:
> I'm having an issue getting digital signature validation
> working with a PingFederate IdP instance. The PF IdP metadata (cached in
> cot/) includes a certificate, the POST SAMLResponse contains a signature,
> and I have the IdP CA cert in my /var/zxid/pem/ca.pem. But I keep getting
> errors like:
> t zxidsso.c:559 zxid_sp_sso_finalize zx E SSO warn: assertion not signed.
> Sigval((null)) (nil)
Checked your attachments. The assertion really is not signed.
The SAML spec is unambiguous: if in metadata
SPSSODescriptor/@WantAssertionsSigned is true, then
the IdP MUST sign the Assertion.
I ship ZXID with WANT_SSO_A7N_SIGNED=1, so unless you have changed
this setting, it would appear that PingFederate is not honouring
this part of the metadata.
Please check this.
> I've currently worked around this by setting "NOSIG_FATAL=0" in the
> zxid.conf, but this isn't a long-term solution.
> Overall, other than the above mentioned issues, the library is
> working OK so far with a PingFederate IdP and perfectly with
I once had a thread about shipping the ssocircle IdP metadata
with ZXID, but somehow it never happened. Can you share
the ssocircle metadata with me (or the list)?