Azure issue with SignatureMethod namespace about esaml HOT 6 CLOSED

That appears to use the proper xmldsig xmlns...

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

It's just using the xmldsig-more URIs for rsa-sha256 from RFC6931 to identify some extra algorithms that weren't defined in 2000/09/xmldsig. That spec added SHA256 among other things.

<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

It's just a value of an attribute.

Most likely the problem is that SAML response has an assertion signature and not an envelope signature. I just use esaml directly, and there is an option to disable the requirement for envelope signature in the sp_config, I believe?

from esaml.

I see samly has an option you can put in config for your IDP: signed_envelopes_in_resp: false that would probably fix it for you.

from esaml.

FYI, the way to tell an envelope signature from an assertion signature is where the <Signature /> tag is. If it's directly under <Response /> they call it an envelope signature. That signature would sign the entire XML doc. If it's directly under <Assertion /> it's an assertion signature, and only signs data under the <Assertion /> tag.

I've found envelope signatures the easiest to work with, but I'm guessing everyone has a different experience.

from esaml.

Thanks, I'll try the samly option out tonight if I have a chance.

from esaml.

Sorry for the delayed response. Thanks @samterrell for pitching in.

If you are using Samly: signed_envelopes_in_resp: false

If you are using esaml: The esaml_sp record has idp_signs_envelopes field. Turn it off.

Can you please confirm if you are able to get past this? Just want to make sure that folks are able to use esaml/Samly with Azure.

Thanks.

from esaml.

Closing. Please reopen if needed.

from esaml.