Invalid Signature While integrating passport-saml with OAM

[bharatsahulw]

Hi All,

Is there any way to integrate the node js with passport-saml by using the OAM metadata file instead of ADFS metadata file? I am using below keys from the metadata file in the passport-saml.

passport.use(/login, new SamlStrategy({
path: "login_file_path",
entryPoint: "Entry url from the metadata file or IDP/SP entry url",
issuer: "my application url",
cert: "x509:certificate from the metadata file",
disableRequestedAuthnContext: true,
authnContext: 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows'
}, function(user, done) {
if (user && user.nameID) {
done (null, user)
} else {
done(null, null);
}
}));

Getting Invalid signature error.

[srd90]

You did not share any information about version numbers of your SW stack. Not in the discussion #834 or in this particular issue ( #835 ). Difference between discussion item and this issue seems to be that in this issue you say that passport-saml reports invalid signature (without any stacktrace for extra information).

Most probably you used @node-saml/passport-saml >= 4.0.0 and if so your problem is most probably related/duplicate of these (if you are 100% sure you configured correct IdP cert):

• [BUG] When validating the SAML Response, it is assumed that the SAML Response ID attribute is the same as the SAML Assertion ID attribute node-saml#211 (comment)
• [BUG] Invalid document signature after upgrading from 2.2.0 to 4.0.1 #816 (comment)

[bharatsahulw]

Thank you for your reply.

I am using the below stack:
"passport-saml": "^0.20.0",
Node version: 10

I am using the highlighted in yellow as a cert key from the OAM metadata file.

[srd90]

^0.20.0 ... unbelievable.

All versions of passport-saml prior to 4.0.0 are deprecated.

There is/has been huge number of security fixes over the years since 0.20.0 (e.g. for dependencies like xmldom and for passport-saml). Some of those are critical.

I presume that node 10 is also EOLed.

[srd90]

@bharatsahulw one more thing: You had masked entityid from the picture you had attached to previous message.

That picture contains also IdP certificate which most probably has some information about IdP also (maybe domain name etc). So one could run that picture through OCR and examine content of certificate with any tool that is capable of transforming it to human readable format.

If you considered entityid to be worth masking consider masking also certificate from that picture. Note: github remembers edits if you do not explicitly delete old versions.

[bharatsahulw]

Thanks for your concern. I have already in the process of upgradation of the packages and node version.

Though I was facing the issue with the current stack. Will it get resolved after upgrading the package ?

[srd90]

Will it get resolved after upgrading the package ?

I do not know. You'll find out sooner or later. At least after upgrade you are using version(s) which are somewhat supported. I am quite sure that no one would have invested their free time to investigate 0.20.0

fwiw: if you click small arrow next to ”edited” text at the header of this comment #835 (comment) you are still able to see content of the message which had that unmasked information. Consider clicking delete for that particular version.

[cjbarth]

@srd90 is correct, I won't be spending time looking into problems on deprecated versions, and I doubt anyone else will either. We also won't do a release for any version that old. If there is a serious problem with v3, we may do a release, but otherwise issues and PRs should be against the v4 branch.

Please re-open when you meet that baseline if you still have issues.