Qlik Community

Ask a Question

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Our next Qlik Insider session will cover new key capabilities. Join us August 11th REGISTER TODAY

SAML assertion was not signed properly with any of the certificates provided in the IdP metadata

Damien_Villaret
Support
Support

SAML assertion was not signed properly with any of the certificates provided in the IdP metadata

When trying to authenticate with SAML, Error 400 Bad request is displayed in the browser.
When looking into the Qlik Sense Proxy (Trace/Audit_proxy) the following WARN message: SAML assertion was not signed properly with any of the certificates provided in the IdP metadata

Looking at the SAML response and at the IDP metadata, we can, however, see that the same certificate is used for signing.


Environments:

  • Qlik Sense Enterprise 3.0 to versions prior to February 2020

 

Resolution:

 

This has been resolved in the February 2020 release. 

 

Cause:

 

Caused by QLIK-89285.

Due to a known issue in the third party library used to implement SAML in Qlik Sense (ComponentSpace v2.6.10.0), Qlik Sense will not be able to validate a SAML response if it does not contain the following:
 
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi" />
</ds:Transforms>

Below is an example of response that will NOT validate correctly in Qlik Sense:
 
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1e1ed6a7c84fb5787ff829b0ba7a23b4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>

In order for the above to validate correctly, it will need to be altered in the following way:
 
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1e1ed6a7c84fb5787ff829b0ba7a23b4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi" />
</ds:Transforms>
  • Most of third-party SAML providers include this tag so it should not be much of a concern in the case you use one of those SAML IDP.
  • However, if you have built your own SAML IDP, you must be aware of this and generate the SAML Response with the tag in it.
Labels (1)
Version history
Revision #:
4 of 4
Last update:
‎2021-02-23 04:09 AM
Updated by:
 
Contributors