Error: Invalid signature

[sameencse]

Hi,
Integrated mock-saml for 2 of our product. One is working fine and for other product
when hitting the login url page, it is showing the
Error: Invalid signature

Could you please help me how to resolve this issue?
Note : In the server log, i can see it is generating the sp meta data file, which is fine but afterwards no other errors.

[deepakprabhakara]

That error would typically mean there is a mismatch in either the certificate or the signature of the SAML request. Can you please check the SAML request generation on your side in the case of the 2nd product where it fails.

[sameencse]

Hi Thanks for your prompt response.
Tried all the option but no luck
FYI, the same product was working fine with Test Shib and samltest.id but not working with this mock saml
Now, i tried with jumpcloud trail version, it is working fine
I am suspecting there is an issue with Mock SAML. ( even no way to see the console log)

[deepakprabhakara]

@sameencse If you can provide us with the SAML request, we can investigate.

[sameencse]

@deepakprabhakara Please see the information below.
POST https://mocksaml.com/api/saml/sso HTTP/1.1
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: app url
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: http app ulr
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en,en-US;q=0.9,en-IN;q=0.8

HTTP/1.1 500 Internal Server Error
ETag: "oy2c1p0p68o"
Content-Length: 24
Date: Mon, 01 Apr 2024 14:20:55 GMT
Connection: keep-alive
Keep-Alive: timeout=5

POST
RelayState: http://app_url/callback?client_name=SAML2Client
SAMLRequest: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwOi8vZGV2angyLmplbnphYmFyLm5ldDoxOTI4MC9qZW56YWJhcmZhLXN0dWRlbnRzZWxmc2VydmljZS11aS9jYWxsYmFjaz9jbGllbnRfbmFtZT1TQU1MMkNsaWVudCIgRGVzdGluYXRpb249Imh0dHBzOi8vbW9ja3NhbWwuY29tL2FwaS9zYW1sL3NzbyIgRm9yY2VBdXRobj0iZmFsc2UiIElEPSJfZGU0NTI0MGU4OTJmNGEyNmJkMjM1ZjA3Y2I5OGVmMzEwODkxYjMxIiBJc1Bhc3NpdmU9ImZhbHNlIiBJc3N1ZUluc3RhbnQ9IjIwMjQtMDQtMDFUMTQ6MjA6NTIuOTExWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwOi8vZGV2angyLmplbnphYmFyLm5ldDoxOTI4MC9qZW56YWJhcmZhLXN0dWRlbnRzZWxmc2VydmljZS11aTwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNfZGU0NTI0MGU4OTJmNGEyNmJkMjM1ZjA3Y2I5OGVmMzEwODkxYjMxIj4KPGRzOlRyYW5zZm9ybXM+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjwvZHM6VHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPgo8ZHM6RGlnZXN0VmFsdWU+VkdXenQ1c2llZldsZGdNZDR1REdTaGxNTmZPVnZaSmFRZkRCdm80WGlRaz08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+CkdUZEhoKzBjR3pjb1VvbDI1RndGb3F6dnpkRndqSitIRGRuNU5TSC9PbHZEU1RnSzlubmdCUUdCRU5QeVV2dlZXL1FKcmQvcWNkaEImIzEzOwozVkgvUC9jRkNZN3piVGFuYzZ6MFRXTnc0Ynp2U2Y4V3FuSzMrdTJqS2YyQkVIU3ZaYnJPU2tNMUlsQzY0aGhaTS9iNzlHK01sUFErJiMxMzsKSzRjUlJFUVQvK0pXVDdLdkFtQUNVaE5YQTJNRGtqR3c1THE0azA2S3VibXFRVFEwKzROZGlTRnJRcUNqYldzR3MvVFcwNU5EZVNKRyYjMTM7ClBCa21wdjRLTURLYmdFdWdDdm1CVVFKOUFvQ08yMndpYUVXb3hjRmpTRHdmbnVBRllsRlpXVFFvaUM1US9wMlFUN2IxK3ZoK0FTVTgmIzEzOwo4S1RqU2NDNDI0L1FMNi9abkxkRjgyRFNWRGlLaEo4RVRXV25Udz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkVENDQWwyZ0F3SUJBZ0lFTDMrYWVEQU5CZ2txaGtpRzl3MEJBUXNGQURCck1SQXdEZ1lEVlFRR0V3ZFZibXR1YjNkdU1SQXcKRGdZRFZRUUlFd2RWYm10dWIzZHVNUkF3RGdZRFZRUUhFd2RWYm10dWIzZHVNUkF3RGdZRFZRUUtFd2RWYm10dWIzZHVNUkF3RGdZRApWUVFMRXdkVmJtdHViM2R1TVE4d0RRWURWUVFERXdaa1pYWnFlREl3SGhjTk1qQXdOekF5TVRrMU1ESXlXaGNOTXpBd05qTXdNVGsxCk1ESXlXakJyTVJBd0RnWURWUVFHRXdkVmJtdHViM2R1TVJBd0RnWURWUVFJRXdkVmJtdHViM2R1TVJBd0RnWURWUVFIRXdkVmJtdHUKYjNkdU1SQXdEZ1lEVlFRS0V3ZFZibXR1YjNkdU1SQXdEZ1lEVlFRTEV3ZFZibXR1YjNkdU1ROHdEUVlEVlFRREV3WmtaWFpxZURJdwpnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDTWRxREpTTGRRa05XaDZZQTBwRUlQc0lXZDF3UDlSODZkCkplbU5IY3ZmYkJ2VmwxemkzR0wrQ2tWekt0dWlYekpMZElpMnhPMVd1aWFHeWE5bXdtQnlvQ0ZuL1Q2Z2FHUzVzSy91NWRRbWtRUmkKSUZWK0RUeDNpbzNhTVdIeUxiTEcyZVFJeEJBMWxMMkF4L01yenlxUURKUytUWXBVaDlmNkNmd3BvM3k0MHF1UmFLeWUzZ09RczdxbQpnNWZMaGhmRDJKcm11VTBqRWY3YTEyNHl1enNLc2RjMzIxYzE0NVFoekcxWUw2OHlBb3IyaHV5K1RlSms1Zkx0OHZmcURNYnkvN1pnCkkwWEE4bngzREs5eDFhWmxpTFMwaXVwQ1NjWHlKNzZFUVJSTWVrNURXWDRSSkhFUjJrS1UxWEZ5RSt6N2FTSmc5MWgwMHRON3lVQzMKQTZlREFnTUJBQUdqSVRBZk1CMEdBMVVkRGdRV0JCU2hyVEF4Zk94MDJ4ZkpkV2ZOdmdDRjNMb1pSREFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQUwzQ1Z2Q0VIL3hoQXY1RGlkd1VYU002M0V4aWwvcnJ0WEVUMmhwNjZ2K2YrcXF0T1BDa2w2L25WbUFWRE5DbjB3dzVzCjlOc3E5NllFdWJ2NVFYZ1I1NHFpYnRxdHg5eUNOWlpHV3JyT3llanVmaHgzenlvcUlsaFl4MTF4K2dZMEVRRGhhZXM2ZzVOc0xtVzMKZS9IZUZMR3QrUmJ3QkliODdvNjVreDNzYUdwdFdvT2FPbWZsUFNUWk5hamtZVzB6czRTdGtNWHpUK0FrVW5Ec3BFSGR6QzlyZ2p6awpGZ0cxWFEwdWxlOFE0OGk2cHZ4RllaNmZORGZOdVBOc3RJbVlNeHFlTk1MRmNod1VzaWJyTGNBamo4QkRzelNzSDIwUDZKSHYycVprClI4VmZ3L1NLU1dOM0J2QVoxS0ZoSG5tZ0Vtcy9jMTI2c2NRRkNib1ZsSU4vYVE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjwvc2FtbDJwOkF1dGhuUmVxdWVzdD4=
SAML:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="app_acs_url"
Destination="https://mocksaml.com/api/saml/sso"
ForceAuthn="false"
ID="_de45240e892f4a26bd235f07cb98ef310891b31"
IsPassive="false"
IssueInstant="2024-04-01T14:20:52.911Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>app url</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_de45240e892f4a26bd235f07cb98ef310891b31">
ds:Transforms
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
ds:DigestValueVGWzt5siefWldgMd4uDGShlMNfOVvZJaQfDBvo4XiQk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValue
GTdHh+0cGzcoUol25FwFoqzvzdFwjJ+HDdn5NSH/OlvDSTgK9nngBQGBENPyUvvVW/QJrd/qcdhB
3VH/P/cFCY7zbTanc6z0TWNw4bzvSf8WqnK3+u2jKf2BEHSvZbrOSkM1IlC64hhZM/b79G+MlPQ+
K4cRREQT/+JWT7KvAmACUhNXA2MDkjGw5Lq4k06KubmqQTQ0+4NdiSFrQqCjbWsGs/TW05NDeSJG
PBkmpv4KMDKbgEugCvmBUQJ9AoCO22wiaEWoxcFjSDwfnuAFYlFZWTQoiC5Q/p2QT7b1+vh+ASU8
8KTjScC424/QL6/ZnLdF82DSVDiKhJ8ETWWnTw==
</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509CertificateMIIDdTCCAl2gAwIBAgIEL3+aeDANBgkqhkiG9w0BAQsFADBrMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
VQQLEwdVbmtub3duMQ8wDQYDVQQDEwZkZXZqeDIwHhcNMjAwNzAyMTk1MDIyWhcNMzAwNjMwMTk1
MDIyWjBrMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtu
b3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMQ8wDQYDVQQDEwZkZXZqeDIw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCMdqDJSLdQkNWh6YA0pEIPsIWd1wP9R86d
JemNHcvfbBvVl1zi3GL+CkVzKtuiXzJLdIi2xO1WuiaGya9mwmByoCFn/T6gaGS5sK/u5dQmkQRi
IFV+DTx3io3aMWHyLbLG2eQIxBA1lL2Ax/MrzyqQDJS+TYpUh9f6Cfwpo3y40quRaKye3gOQs7qm
g5fLhhfD2JrmuU0jEf7a124yuzsKsdc321c145QhzG1YL68yAor2huy+TeJk5fLt8vfqDMby/7Zg
I0XA8nx3DK9x1aZliLS0iupCScXyJ76EQRRMek5DWX4RJHER2kKU1XFyE+z7aSJg91h00tN7yUC3
A6eDAgMBAAGjITAfMB0GA1UdDgQWBBShrTAxfOx02xfJdWfNvgCF3LoZRDANBgkqhkiG9w0BAQsF
AAOCAQEAL3CVvCEH/xhAv5DidwUXSM63Exil/rrtXET2hp66v+f+qqtOPCkl6/nVmAVDNCn0ww5s
9Nsq96YEubv5QXgR54qibtqtx9yCNZZGWrrOyejufhx3zyoqIlhYx11x+gY0EQDhaes6g5NsLmW3
e/HeFLGt+RbwBIb87o65kx3saGptWoOaOmflPSTZNajkYW0zs4StkMXzT+AkUnDspEHdzC9rgjzk
FgG1XQ0ule8Q48i6pvxFYZ6fNDfNuPNstImYMxqeNMLFchwUsibrLcAjj8BDszSsH20P6JHv2qZk
R8Vfw/SKSWN3BvAZ1KFhHnmgEms/c126scQFCboVlIN/aQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>

[deepakprabhakara]

The digest values don't match when comparing the signature. Would it be possible to give us more information on how you are constructing and signing the SAML request?