Hi All, we are facing an issue during the SAML validation. Getting the following error :
{“fault”:{“faultstring”:“ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation”,“detail”:{“errorcode”:“steps.saml.ERROR_VALIDATING_SIGNATURE”}}}
I have attached the API Proxy that we are using, inside there is a javascript policy that contains the SAML Assertion (innested into the code just for speed-up the test).
Someone that had the same error can suggest how to proceed?
Thank you
Cosimo
1 Like
@Cosimo, can you give us an example call? Looks like at least the assertion needs to be provided in the call.
can you share the cert you use for validation?
Hi @Cosimo wanted to make sure that since you are trying to validate an assertion (leveraging Apigee as the SAML SP) that you have uploaded the cert to the trust store? Here is a good writeup of how to do that.
Hi prithpal thank for your suggestion. I am actually trying to use WSO2 as IDS so i have a saml assertion generated there and i want to validate it into apigee with an API Proxy.
Yes, I meant leveraging Apigee as the SP (Service Provider). Let me know if you are able to get further along after uploading the cert.
Hi actually we have to use WSO2 as identity provider and we uploaded the certificate of our WSO2 IDS.
The problem now is during validation of SAML Assertiion that we receive on our API Proxy trace flow the error
{“fault”:{“faultstring”:“ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Error during signature validation”,“detail”:{“errorcode”:“steps.saml.ERROR_VALIDATING_SIGNATURE”}}}.
Follows the cert.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> Fri, 28 Feb 2025 00:59:59 CET CN=mlv_ca.ams.accenture.com, OU=mlv_ca.ams.accenture, O=mlv_ca.ams, L=Rome, ST=IT, C=IT CN=mlv1.ams.accenture.com, OU=mlv1.ams.accenture, O=mlv1.ams, L=Rome, ST=IT, C=IT Yes Tue, 03 Mar 2015 01:00:00 CET 3 dcppTruststore
Please let me know any suggestion.
Thank you
Cosimo
Hi @Cosimo, can you test your proxy with a SAML assertion that is sent as a form post. In your sample you are populating the request.body variable directly in javascript policy. Maybe use something like POSTMAN to test it out.
Also review the SAML Assertion policy to make sure you specify the XPATH (inside the source) correctly. Would be great if you can upload any trace tool screen shots.
Hi @Prithpal Bhogill
please see attached the SAML Assertion and the API Proxy configured for receiving the SAML Assertion in input as POST request. We get the same error. Please let me know your thought, aprreciate your feedback. Cosimo
@Prithpal Bhogill any suggestion? Thanks
Hi Everyone, Am also facing the similar issue. I have trust store configured which have list of Telstra chain cert like this.
Keystore vhost_truststore_client
Truststore Telstra_CA_Chain.p7b
Telstra AD Object CA1
Telstra Policy CA1
Telstra Root CAtrace.txtsamlassertion.txt
But still am getting the ERROR_VALIDATING_SIGNATURE. I want to know how does this validation is working. Do I need to have the particular X509 cert configured in my trust store as well? Or only Telstra root cert chain will suffice.
Am attaching the Apigee trace log and SAMLassertion here for my request.
any resolution found on this?
anyone found solution to this please explain
I am also struck with this issue. In my case, I had to create a Java callout policy to decode the base64 SAML and then pass it on to SAML Validation policy. Even though the certificate in truststore matches with the one that is sent in Assertion, I am still getting "Digital Signature Validation Failed/
ask a new question pls. you are posting this question as an “Answer”.