We recently upgraded the IdP forge component from version 5.0.1 to 5.0.14, including the dependencies like CryptoAPI. We have both traditional, reactive and mobile OS11 applications.
In our development environment (DEV) the upgrade was successful without any reconfiguration needed.
After publishing the the changed components to our test (TEST) environment, users were no longer able to login.
The error returned in TEST was Not valid response: Not_Valid_Signature. This points towards the certificate (as I have read in earlier support calls). However, when we rollback the upgrade by publishing previous versions everything works again.
A summary of the most important differences I noticed between the configuration in DEV and TEST:
- On our DEV environment the upgrade was successful without reconfiguration
- DEV: Entity Id = http://gsapps-o.xxx.nl/IdP
- DEV: Server Public URL = https://gsapps-o.xxx.nl
- DEV: Server internal URL = https://gsapps-o.xxx.nl
- On our test environment we could not login after upgrade.
- TEST: Entity Id = http://apps-t.xxx.nl/IdP (note there is no GS in the name)
- TEST: Server Public URL = https://apps-t.xxx.nl:1443 (note the port and there is no GS in the name)
- TEST: Server internal URL = https://gsapps-t.xxx.nl (note the GS in the name and no port). The test it button validation is successful
Before we try the reconfiguration of the certificate we would like to understand what could cause this behavior. Were there any (breaking) changes that could cause the signature to be marked as invalid? And why did this only happen in TEST and not in DEV?Kind regards,Arthur Haine
I have some additional information:
We tried upgrading in smaller steps (so not from 5.0.1 to 5.0.14 but by version).
Version 5.0.8 is the latest version that still works in our TEST environment.
Version 5.0.10 (I see 5.0.9 was discontinued) gives us the following error:Message: AADSTS750032: SAML protocol response cannot be sent via bindings other than HTTP POST. Requested binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Versions after 5.0.10 up to 5.0.14 all give the before mentioned error: Not_Valid_Signature.
When I am in the SAML log, I can see the responses that failed. Using the magnifier icon I can then test the SAML response.
What further surprises us is the following:
When I do this for a failed response and my IdP version is NOT working (5.0.10+), the screen shows a red X after valid signature.When I do this for a failed response and my IdP version IS working (5.0.1 - 5.0.8), the screen shows a green check after valid signature.Thit gives me the idea that the response is not different, but that something changed in the way the response is validated (for the signature).
I hope someone can point me in the right direction.
Not sure if this is your case, however is worth to mention it as it solved a similar error we had: The new version of SAML_Utils\SAML_CreateAuthnRequest seems to have two more parameters than the old one: IsPostBinding and ForceAuthn
IsPostBinding: Flag used to add the corresponding binding. It will use redirect if value is false. Default value is FALSE ! Try to set it on TRUE. I hope it helps. Mihai Cotar
Thanks Mihai!
We will give it a try.
Kind regards,
Arthur Haine