Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
0 votes
505 views
in CompleteFTP by (240 points)
edited by

Attempting to set up Azure B2C as an Idp for SAML authentication.

Have tested and proven the Idp works with a SAML testing site.

Moved over to the client's live CompleteFTP (enterprise) and added the IDP. Copied the CompleteFTP SP metadata into the Idp setup.

Have tried various things but CompleteFTP always seems to log this error:

2019-07-04 17:15:38,356 WARN [Session.108176:Default Site:anonymous:123.234.231.213] Failed to process file '/Saml/Login': dk.nita.saml20.protocol.SamlException: dk.nita.saml20.protocol.SamlException: ErrorCode: urn:oasis:names:tc:SAML:2.0:status:Requester. Message: Invalid signature.. 

2019-07-04 17:15:38,356 WARN [Session.108176:Default Site:anonymous:123.234.231.213]    at dk.nita.saml20.protocol.AbstractEndpointHandler.HandleError(SamlHttpContext context, String errorMessage, Boolean overrideConfigSetting) 

etc.

A self-signed certificate is in use at the Idp while testing, so this has been added to the 'Local Machine/Trusted Root Certificate Authorities' and the 'Validate Certificates against the Windows Certificate Store' option has been ticked.

The SAML response looks like this

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_0965046b-1419-41c7-9a27-0d0827ee383e" InResponseTo="id285d7254a8bf4ed0b5f8b87c9455e344" Version="2.0" IssueInstant="2019-07-04T16:15:38.145175Z" Destination="http://THIS.COMPLETEFTP.SERVER/Saml/Login" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://MYAPP.b2clogin.com/tenant-name.onmicrosoft.com/B2C_1A_signup_signin</saml:Issuer>

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

    <SignedInfo>

      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

      <Reference URI="#_0965046b-1419-41c7-9a27-0d0827ee383e">

        <Transforms>

          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

            <InclusiveNamespaces PrefixList="saml samlp xenc xs" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />

          </Transform>

        </Transforms>

        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

        <DigestValue>DIGEST HERE</DigestValue>

      </Reference>

    </SignedInfo>

    <SignatureValue>CERTIFICATE HERE</SignatureValue>

    <KeyInfo>

      <X509Data>

        <X509Certificate>CERTIFICATE HERE</X509Certificate>

      </X509Data>

    </KeyInfo>

  </Signature>

  <samlp:Status>

    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />

    <samlp:StatusMessage>Invalid signature.</samlp:StatusMessage>

    <IsPolicySpecificError>false</IsPolicySpecificError>

  </samlp:Status>

</samlp:Response>

Edit: for clarity, the login flow isn't starting, this response comes immediately back from Azure B2C when CompleteFTP sends the request to it.

It seems to be saying that the signature part of that request can't be validated.

by (162k points)
Please open a support ticket at https://enterprisedt.com/help

This is a bit beyond the usual forum question.

Please log in or register to answer this question.

Categories

...