Unexlained simpleSAMLphp behavior, saying that some SAML responses valid and some invalid

Question

IdP is using Ping Federate v6.10. The Service Provider is using simpleSAMLphp.

We have confirmed that the IdP is sending the SAML Assertion to the SP. However it is in the simpleSAMLphp where we get the following error:

Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] Backtrace:
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 0 C:\inetpub\wwwroot\simplesamlphp\www\module.php:180 (N/A)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] Caused by: Exception: Reference validation failed
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] Backtrace:
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 8 C:\inetpub\wwwroot\simplesamlphp\lib\xmlseclibs.php:1028 (XMLSecurityDSig::validateReference)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 7 C:\inetpub\wwwroot\simplesamlphp\lib\SAML2\Utils.php:52 (SAML2_Utils::validateElement)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 6 C:\inetpub\wwwroot\simplesamlphp\lib\SAML2\Assertion.php:469 (SAML2_Assertion::parseSignature)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 5 C:\inetpub\wwwroot\simplesamlphp\lib\SAML2\Assertion.php:240 (SAML2_Assertion::__construct)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 4 C:\inetpub\wwwroot\simplesamlphp\lib\SAML2\Response.php:37 (SAML2_Response::__construct)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 3 C:\inetpub\wwwroot\simplesamlphp\lib\SAML2\Message.php:471 (SAML2_Message::fromXML)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 2 C:\inetpub\wwwroot\simplesamlphp\lib\SAML2\HTTPPost.php:88 (SAML2_HTTPPost::receive)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 1 C:\inetpub\wwwroot\simplesamlphp\modules\saml\www\sp\saml2-acs.php:16 (require)
Jan 07 12:42:37 simplesamlphp ERROR [0ed1b9806f] 0 C:\inetpub\wwwroot\simplesamlphp\www\module.php:135 (N/A)

The weird thing is that some users work and some do not. Have you guys seen this type of behavior before? Is it possible that the cause of this is attributes being pulled from an Active Directory contains weird characters (i.e. objectGUID)?

Any suggestions would be great.

Answer 1

Generally, this error in simpleSAMLphp indicates an issue with validating the signature, and I would say make sure the proper cers are in place. However, if it's happening only on some users from the same connection, there's got to be something else going on.

You could ask the IdP if they have defined ObjectGUID as a binary attribute, and verify the encoding that they are using for that attribute - I suppose it could break something in the validation... That's about the only thing I can think of that might break an otherwise working connection between simpleSAMLphp and PingFederate (disclosure - as it notes in my profile, I do support work for Ping).

If your partner has a valid contract with us, they can always open a support issue if they need help, and we're happy to get on the phone with them (and you) to work through the issue.