Security requirements error when testing with samltest.id

2021-04-27 13:01:06,736 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:?] - Decoded RelayState: /en 2021-04-27 13:01:06,736 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:?] - Base64 decoding and inflating SAML message 2021-04-27 13:01:06,736 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:?] - Decoded SAML message 2021-04-27 13:01:06,736 - DEBUG [PROTOCOL_MESSAGE:?] - <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest AssertionConsumerServiceURL="https://redacted.com/en/saml/consume" Destination="https://samltest.id/idp/profile/SAML2/Redirect/SSO" ID="ONELOGIN_88f7e8f6094554b356bc6e43275d6f1b102f68c5" IssueInstant="2021-04-27T13:00:59Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="REDACTED" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <saml:Issuer>https://redacted.com/en/user</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient</saml:AuthnContextClassRef> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef> <saml:AuthnContextClassRef>urn:federation:authentication:windows</saml:AuthnContextClassRef> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> 2021-04-27 13:01:06,744 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver:?] - Metadata Resolver LocalDynamicMetadataResolver SAMLtestFolder: Successfully loaded new EntityDescriptor with entityID 'https://redacted.com/en/user' from origin source 2021-04-27 13:01:06,744 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:?] - Resolved 1 source EntityDescriptors 2021-04-27 13:01:06,744 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:?] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering 2021-04-27 13:01:06,744 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:?] - Attempting to filter candidate RoleDescriptors via resolved Predicates 2021-04-27 13:01:06,744 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:?] - After predicate filtering 1 RoleDescriptors remain 2021-04-27 13:01:06,744 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:?] - Message Handler: org.opensaml.saml.common.messaging.context.SAMLMetadataContext added to MessageContext as child of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext 2021-04-27 13:01:06,744 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:?] - Message Handler: Selecting default AttributeConsumingService, if any 2021-04-27 13:01:06,744 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:?] - Message Handler: No AttributeConsumingService selected 2021-04-27 13:01:06,744 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:?] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://redacted.com/en/user 2021-04-27 13:01:06,745 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:?] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do 2021-04-27 13:01:06,745 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: Checking SAML message intended destination endpoint against receiver endpoint 2021-04-27 13:01:06,745 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: Intended message destination endpoint: https://samltest.id/idp/profile/SAML2/Redirect/SSO 2021-04-27 13:01:06,745 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: Actual message receiver endpoint: https://samltest.id/idp/profile/SAML2/Redirect/SSO 2021-04-27 13:01:06,745 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?] - Message Handler: SAML message intended destination endpoint matched recipient endpoint 2021-04-27 13:01:06,745 - DEBUG [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler:?] - Message Handler: Evaluating message replay for message ID 'ONELOGIN_88f7e8f6094554b356bc6e43275d6f1b102f68c5', issue instant '2021-04-27T13:00:59.000Z', entityID 'https://redacted.com/en/user' 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:?] - Message Handler: SAML protocol message was not signed, skipping XML signature processing 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:?] - Message Handler: Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler:?] - Constructing signed content string from URL query string SAMLRequest=vVRNj9owFLzvr0C5ky8IHxZEomHbolJAJLuqeqmM/dK1lNip7QD993UcdkHVLntpySXK85t5nvE4E4XLokKzWj/xLfyqQem7jnmOZcEVsotTp5YcCayYQhyXoJAmKJ19XaLQ9VElhRZEFM5fsOsorBRIzQRvYYv51Fmv7pfrT4vVj9EoH8IoH/jjfhT1d71osCMD6PfCYUQHebAL/DAfjEjUQh9BKsMzdQxtW9lIsWcU5MpMnToPq/s0WZ/GKFXDgiuNuTYAPwy6fr8bDrOgh3wfRePvbd/cuMA41pb3SetKIc9rRGmz4DLqMVp5RnjOCvAaTaG3BcokEO2l6fplG9aYD4xTxn9e92PXNin0Ocs23c06zVqS2bNPieCqLkGmIPeMwMN2ed5ZzUER0aVjl8LeFQfl5tIDbnfskRboxJZv0tSQ9UHG7%2BFrM3viXSLOHBVq7F3MN6Jg5LetN89HIUus39YauIGtMNrNbSuCErNiRqkEpZwXnllRiEMiAWtzhFrW4HS8%2BGL4KapAbXCNORqOupOIssKSqebY4IiJPqk%2BK79sTwqTwi3k8dWgEkSaPlPemNdBSHqy5FWq/zCuyZEJFtBMYq4qIfWNNpAt06RgwG8171vkj//FqBzM5beXF2HTYwQw0n4ezC0z8b6Rni8gdyDF%2B%2BPahjdCHd89L1/%2Bo%2BM/&RelayState=/en&SigAlg=http%3A//www.w3.org/2001/04/xmldsig-more%23rsa-sha256&Signature=QYttu3unNplqE8%2BDQlKmmODTC2o%2B9L7WbaYjstcnm%2Bxfq7qPKlVqAh0dxoa4GnDUFW6fDMX42fxavvDYeN5Z%2B21upvSK9QwFHunZA1o31C22iHNCIkh/3/%2Bz0AnEMJ8sBC1rXMGDfNmQsj%2BLqNo797sDJkNH27fnxUnzDsaXq9kkeHb8CGQfuMKVP3/yAWxi464xeS3kp1TXuPr4k9RM%2BOZ/fx/2Am0VPpgZnD7TxXFS5Oo/U%2By2qHemp0yGPp2pneVuVuYyuEGBljV0fuBka/TghpLo3CVgaIkAMGjxZWhHpvmzuRa/qehe1hDLy%2BdR8BsCOM7ltqU9SA/36WZ9yQ%3D%3D 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler:?] - Constructed signed content string for HTTP-Redirect DEFLATE SAMLRequest=vVRNj9owFLzvr0C5ky8IHxZEomHbolJAJLuqeqmM/dK1lNip7QD993UcdkHVLntpySXK85t5nvE4E4XLokKzWj/xLfyqQem7jnmOZcEVsotTp5YcCayYQhyXoJAmKJ19XaLQ9VElhRZEFM5fsOsorBRIzQRvYYv51Fmv7pfrT4vVj9EoH8IoH/jjfhT1d71osCMD6PfCYUQHebAL/DAfjEjUQh9BKsMzdQxtW9lIsWcU5MpMnToPq/s0WZ/GKFXDgiuNuTYAPwy6fr8bDrOgh3wfRePvbd/cuMA41pb3SetKIc9rRGmz4DLqMVp5RnjOCvAaTaG3BcokEO2l6fplG9aYD4xTxn9e92PXNin0Ocs23c06zVqS2bNPieCqLkGmIPeMwMN2ed5ZzUER0aVjl8LeFQfl5tIDbnfskRboxJZv0tSQ9UHG7%2BFrM3viXSLOHBVq7F3MN6Jg5LetN89HIUus39YauIGtMNrNbSuCErNiRqkEpZwXnllRiEMiAWtzhFrW4HS8%2BGL4KapAbXCNORqOupOIssKSqebY4IiJPqk%2BK79sTwqTwi3k8dWgEkSaPlPemNdBSHqy5FWq/zCuyZEJFtBMYq4qIfWNNpAt06RgwG8171vkj//FqBzM5beXF2HTYwQw0n4ezC0z8b6Rni8gdyDF%2B%2BPahjdCHd89L1/%2Bo%2BM/&RelayState=/en&SigAlg=http%3A//www.w3.org/2001/04/xmldsig-more%23rsa-sha256 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:?] - Message Handler: Attempting to validate SAML protocol message simple signature using context entityID: https://redacted.com/en/user 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:?] - Resolving credentials from metadata using entityID: https://redacted.com/en/user, role: {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor, protocol: urn:oasis:names:tc:SAML:2.0:protocol, usage: SIGNING 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:?] - Retrieving role descriptor metadata for entity 'https://redacted.com/en/user' in role '{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor' for protocol 'urn:oasis:names:tc:SAML:2.0:protocol' 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:?] - Resolved 1 source EntityDescriptors 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:?] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:?] - Attempting to filter candidate RoleDescriptors via resolved Predicates 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:?] - After predicate filtering 1 RoleDescriptors remain 2021-04-27 13:01:06,746 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:?] - Found no cached credentials in KeyDescriptor object metadata, resolving from KeyInfo 2021-04-27 13:01:06,747 - WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:?] - Message Handler: Simple signature validation (with no request-derived credentials) failed 2021-04-27 13:01:06,747 - WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:?] - Message Handler: Validation of request simple signature failed for context issuer: https://redacted.com/en/user 2021-04-27 13:01:06,747 - WARN [org.opensaml.profile.action.impl.LogEvent:?] - A non-proceed event occurred while processing the request: MessageAuthenticationError 2021-04-27 13:01:06,747 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:?] - No SAMLBindingContext or binding URI available, error must be handled locally

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇺🇸United States jproctor
I can’t replicate this error using version 4.2.1 on Drupal 9.5.9.

In order for the login to succeed I did need to add a different cert for SAMLtest.id; I copied the IdP cert from https://samltest.id/download/#SAMLtest%E2%80%99s_IdP (the one that ends with i1iHTA==) and added it to the IdP config in addition to the one present in the metadata file, but it doesn’t seem like you got that far.

The two obvious questions are whether you provided your metadata to SAMLtest.id (I would expect something more like “not configured for this service” if you hadn’t), and whether it had expired by the time you did the test. Even if the certificate is valid for years, the OneLogin library sets the SP’s metadata to expire in 2 days; if you saved it to a file and uploaded that (instead of providing a live URL) to SAMLtest.id, it would likely fail. There’s a new configuration option (as of version 4.2.1) which lets you specify a longer duration (or have it match the certificate).