"SignatureError: Failed to verify signature" - Okta, pySAML2

Question

For three days, I have been pulling my hair out trying to wrap my head around Okta & SAML.

On my local machine (OSX Mavericks), I am able to successfully follow the steps listed here: http://developer.okta.com/docs/guides/pysaml2

Things work.

But moving everything over to our production server, which is a CentOS box, running nearly identical code, I am faced with this "SignatureError: Failed to verify signature" error.

Traceback (most recent call last): auth_response = saml_client.parse_authn_request_response(SAMLResponse, entity.BINDING_HTTP_POST) File \"/usr/local/lib/python2.7.11/lib/python2.7/site-packages/saml2/client_base.py\", line 599, in parse_authn_request_response binding, **kwargs)

response = response.loads(xmlstr, False, origxml=origxml) File \"/usr/local/lib/python2.7.11/lib/python2.7/site-packages/saml2/response.py\", line 510, in loads self._loads(xmldata, decode, origxml)

File \"/usr/local/lib/python2.7.11/lib/python2.7/site-packages/saml2/response.py\", line 335, in _loads **args) File \"/usr/local/lib/python2.7.11/lib/python2.7/site-packages/saml2/sigver.py\", line 1756, in correctly_signed_response class_name(response), origdoc)

File \"/usr/local/lib/python2.7.11/lib/python2.7/site-packages/saml2/sigver.py\", line 1571, in _check_signature raise SignatureError(\"Failed to verify signature\") SignatureError: Failed to verify signature

I have scoured the internet looking for a way to troubleshoot this error. I am new to SAML and Okta.

My assumption is that this has something to do with xmlsec1 acting differently on our production machine. But the versions are identical. There are many dependencies so I'm not sure where the problem might be.

Has anyone ran into this error? Any thoughts on what I might be able to try?

Answer 1

I know this is a little late, but in case someone else runs into this:

pysaml2 provides a lot of logging using python's built in logging, I defined a handler for saml2.sigver and that gave a lot of info. In those logs I found this:

Error: unable to load xmlsec-openssl library. Make sure that you have
this it installed, check shared libraries path (LD_LIBRARY_PATH)
envornment variable or use "--crypto" option to specify different
crypto engine.

Turns out I needed to install xmlsec1-openssl. Hope this helps someone in the future.

Answer 2

Dealing with xmlsec1 can be extremely frustrating!

The main thing that I suggest doing is enabling debugging in PySAML2, and/or setting the PYSAML2_KEEP_XMLSEC_TMP environment variable, and/or manually enable this code path in sigver.py - the general idea is to get a look at xmlsec1 command that PySAML2 is calling and have PySAML2 leave the temporary files around so that you can test the commands yourself.

As I recall, most of the issues that I've run into in the past involved PySAML2 not finding the xmlsec1 binary. The get_xmlsec_binary() function in sigver.py is responsible for finding the xmlsec1 binary. I suggest that you take a look at the code in get_xmlsec_binary() and make sure that it is looking in the right places on your system.