not directly CFML related (apologies) but my head ...
# cfml-generale
Erin Brewer
02/13/2025, 3:22 PMnot directly CFML related (apologies) but my head is starting to hurt over this.
anyone very familiar with SSO using Shibboleth (windows+iis) as the SP and Azure/Entra as the IDP?
i've setup a handful of these, but latest client is giving me a headache.
SHB correctly routes to AZ, login is ok, SHB receives the response but throws error (more details in thread)
Copy code
Message was signed, but signature could not be verified.Erin Brewer
02/13/2025, 3:23 PMthe SHB detailed log spits out the following
Copy code
OpenSAML.SecurityPolicyRule.XMLSigning [1] [default]: validating signature profile
XMLTooling.CredentialCriteria [1] [default]: keys didn't match
XMLTooling.CredentialCriteria [1] [default]: keys didn't match
XMLTooling.CredentialCriteria [1] [default]: keys didn't match
XMLTooling.CredentialCriteria [1] [default]: keys didn't match
XMLTooling.CredentialCriteria [1] [default]: keys didn't match
XMLTooling.CredentialCriteria [1] [default]: keys didn't match
XMLTooling.TrustEngine.ExplicitKey [1] [default]: unable to validate signature, no credentials available from peer
XMLTooling.TrustEngine.PKIX [1] [default]: validating signature using certificate from within the signature
XMLTooling.TrustEngine.PKIX [1] [default]: signature verified with key inside signature, attempting certificate validation...
XMLTooling.TrustEngine.PKIX [1] [default]: checking that the certificate name is acceptable
XMLTooling.TrustEngine.PKIX [1] [default]: adding to list of trusted names (<https://sts.windows.net/0c6009c7-3cb9-4fcb-9a5a-5cc6ae9054b2/>)
XMLTooling.TrustEngine.PKIX [1] [default]: certificate subject: CN=Microsoft Azure Federated SSO Certificate
XMLTooling.TrustEngine.PKIX [1] [default]: unable to match DN, trying TLS subjectAltName match
XMLTooling.TrustEngine.PKIX [1] [default]: unable to match subjectAltName, trying TLS CN match
XMLTooling.TrustEngine.PKIX [1] [default]: certificate name was not acceptable
penSAML.SecurityPolicyRule.XMLSigning [1] [default]: unable to verify message signature with supplied trust engine
hibboleth.SSO.SAML2 [1] [default]: detected a problem with assertion: Message was signed, but signature could not be verified.
hibboleth.SSO.SAML2 [1] [default]: error processing incoming assertion: Message was signed, but signature could not be verified.Erin Brewer
02/13/2025, 3:25 PMi'm 99% confident that my SHB setup is the same as other clients that are working with AZ, so think its the client setup in Entra, but i'm not familiar with that side at all so its going to be a bear with this client to try and work through what might be wrong on their setup (assuming it is)
Erin Brewer
02/13/2025, 3:25 PMany tips appreciated, spent 8 hours on this yesterday and pretty much got nowhere
p
Patrick
02/13/2025, 3:31 PMUsing the same signing certs in both places? Sounds like that is the prob there
Patrick
02/13/2025, 3:32 PMAlso sso settings, are they using the correct signing alg
m
mbh
02/13/2025, 4:08 PMDo you have a shared certificate on the Entra App Registration? It may require a shared certificate to use for signing.
mbh
02/13/2025, 4:09 PMI have experience with both I am happy to help! Just let me know 😃
e
Erin Brewer
02/13/2025, 4:11 PMso part of the trick is i have no visibility into the Entra side, that is handled by the customer IT contact, so i have to ask him all this stuff, and i'm not sure how knowledge-able he really is about SSO
quick question, in the SAML response i get from AZ, should the <X509Certificate> string exactly match the <X509Certificate> from the AZ federation-metadata.xml ?
Erin Brewer
02/13/2025, 4:12 PMthank you BTW!
Erin Brewer
02/13/2025, 4:12 PM(and i'm not super experienced with certs myself)
m
mbh
02/13/2025, 4:13 PMYou are referring to the certificate specified here?
https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml
e
Erin Brewer
02/13/2025, 4:14 PMyes? in my shib2.xml config its the metadataprovider
m
mbh
02/13/2025, 4:14 PMI would remove your tenant id from that link fyi 😃.
mbh
02/13/2025, 4:15 PMBut yes, I would presume that should match. I am doing some research for you right now. I will update you shortly
e
Erin Brewer
02/13/2025, 4:15 PMthanks, been a long night 😉
m
mbh
02/13/2025, 4:16 PMHave you looked at this link yet?
https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+V4+Shibboleth+IdP+to+connect+with+Azure+AD
e
Erin Brewer
02/13/2025, 4:29 PMOMG, met with the client - even though i pointed out several times i thought there fed medata link needed an ?appId= value at the end they said it was fine.
well that was the problem
m
mbh
02/13/2025, 4:29 PMHa, well that is awesome! Glad you figured it out!
e
Erin Brewer
02/13/2025, 4:29 PMso SHB was getting the wrong metadata and thus the wrong cert
Erin Brewer
02/13/2025, 4:30 PMthank you for the help! its good to just write it out sometimes!
Erin Brewer
02/13/2025, 4:30 PMi'll be making lots of notes about this for future implementations ....
m
mbh
02/13/2025, 4:30 PMIf you ever need any assistance with Entra or Shibboleth feel free to reach out to me direct! I work with both daily 😃 mbh@media3.net
e
Erin Brewer
02/13/2025, 4:33 PMthanks! i will definitely make note of that - i'm no SSO expert, so i kind of just stumble through the setup but something like this wastes a ton of my time to troubleshoot