SAML Authnreq signiture format support
Use-case:
I would like for Zitadel to accept signing of Authnreq requests from SP other then within x509 element, like in format:
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>some_value</dsig:Modulus>
<dsig:Exponent>other_value</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
Environment:
self-hosting
Version:
v2.65.0
Stack:
Sonatype Nexus3 repository as SP
From SP perspective, I have configured option: Validate Response Signature to true, but not the Assertion. I would do that as next step.
What you expected to happen:
User is successfully logged in to SP with SAML req and resp signed respectively.
What went wrong:
IdP is reporting issue/error stating:
<StatusMessage>failed to verify signature: Missing x509 Element</StatusMessage>
6 Replies
Hello to all! 🙂
Could I get some feedback on this subject please?
I'm not sure if my post is not according to guidelines or maybe something else is off, so I would appreciate at least some guidance..
hey @Muki23 apologies for the delay,I will check it and will get bac to you
No problem @Rajat Tnx for taking a look. 🙂
hey @Rajat any news on the subject?
hey @Muki23 apologies for delay, can you pls try
You're sending the public key in the wrong format, ZITADEL needs X.509, not raw RSA key values.
Lmk if this helps 🙂
Hey @Rajat
Yeah, I found that information.. unfortunately I can not do that because the SP code is not in my control, it is also a third party application (Sonatype Nexus) we are using.. this is exactly why I was hoping there is some option I could setup on Zitadel to enable it to receive it in format that SP is sending, or that you guys find this as interesting new feature to support. 🙂
Hey @Muki23 we can, but can you please raise a feature request?. Mention that Nexus3 uses
KeyValue only signatures and that this change would enable broader SAML compatibility. Please Be thorough with the details, I will check with the team and see if an engineer from the team prioritise it.