saml2.response.IncorrectlySigned Internal Server Error

[MySecondLanguage]

I am implementing SSO with SAML2 but i am going through trouble.
I am using these lib:
https://github.com/OTA-Insight/djangosaml2idp

https://github.com/IdentityPython/djangosaml2

The SP is working well, there issue with the idp

This is the error i am getting:

 raise IncorrectlySigned()
saml2.response.IncorrectlySigned
Internal Server Error: /idp/login/process/

and this is my url pattern

urlpatterns = [
    path('accounts/', include('django.contrib.auth.urls')),
    path('idp/', include('djangosaml2idp.urls')),
    path('', TemplateView.as_view(template_name="index.html")),
]

and this is my settings.py file

import saml2
import os
from saml2.saml import NAMEID_FORMAT_EMAILADDRESS, NAMEID_FORMAT_UNSPECIFIED
from saml2.sigver import get_xmlsec_binary



LOGIN_URL = '/accounts/login/'
BASE_URL = 'http://localhost:8000/idp'

SAML_IDP_CONFIG = {
    'debug' : DEBUG,
    'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin']),
    'entityid': '%s/metadata' % BASE_URL,
    # 'entityid': os.path.join(BASE_DIR, 'metadata'),
    'description': 'Example IdP setup',

    'service': {
        'idp': {
            'name': 'Django localhost IdP',
            'endpoints': {
                'single_sign_on_service': [
                    ('http://localhost:8000/idp/sso/post/', saml2.BINDING_HTTP_POST),
                    ('http://localhost:8000/idp/sso/redirect/', saml2.BINDING_HTTP_REDIRECT),
                ],
                "single_logout_service": [
                    ("http://localhost:8000/idp/slo/post/", saml2.BINDING_HTTP_POST),
                    ("http://localhost:8000/idp/slo/redirect/", saml2.BINDING_HTTP_REDIRECT)
                ],
            },
            'name_id_format': [NAMEID_FORMAT_EMAILADDRESS, NAMEID_FORMAT_UNSPECIFIED],
            'sign_response': True,
            'sign_assertion': True,
            'want_authn_requests_signed': True,
        },
    },

    # Signing
    'key_file': os.path.join(BASE_DIR, 'certificates/private.key'),
    'cert_file': os.path.join(BASE_DIR, 'certificates/public.cert'),
    # Encryption
    'encryption_keypairs': [{
        'key_file': os.path.join(BASE_DIR, 'certificates/private.key'),
        'cert_file': os.path.join(BASE_DIR, 'certificates/public.cert'),
    }],
    'valid_for': 365 * 24,

    "metadata": {
        "local": [
            os.path.join(BASE_DIR, 'metadata')
        ],
    },
}


# Each key in this dictionary is a SP our IDP will talk to

SAML_IDP_SPCONFIG = {
    'http://localhost:8000/saml2/metadata': {
        'processor': 'djangosaml2idp.processors.BaseProcessor',
        'attribute_mapping': {
            'email': 'email',
            'first_name': 'first_name',
            'last_name': 'last_name',
            'is_staff': 'is_staff',
            'is_superuser':  'is_superuser',
        }
    }
}

Everyting is working well but when it redirect to /idp/login/process/ url, then it fires the error. Can anyone help me to solve this issue?

[charron-tom]

Do you know which binding is being used? If you are using the HTTP-REDIRECT binding, the signature must be in the Authn request itself as the pysaml2 library doesn't yet support passing the signature via a URL query parameter. See this pull request.

If you are using the HTTP-POST binding, double check there is a signature in the Authn request.

[MySecondLanguage]

How to use HTTP-POST binding? I am using this djangosaml2idp example source code?

How can use HTTP-POST binding, as the request handle djangosaml2idp this /idp/login/process/ ?

Can you please have a look at my settings? i have already added above?

[MySecondLanguage]

Hi, Can anyone help me to fix this?

[subbergunz]

It appears to be supported now, in IdentityPython/pysaml2@718cf98

[subbergunz]

I am now testing this diff:

# diff -c /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py.orig /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py
*** /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py.orig	2022-01-18 15:08:14.414687736 +0100
--- /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py	2022-01-18 16:01:56.845308818 +0100
***************
*** 56,61 ****
--- 56,66 ----
      request.session['Binding'] = binding
      request.session['SAMLRequest'] = saml_request
      request.session['RelayState'] = passed_data.get('RelayState', '')
+     if binding == BINDING_HTTP_REDIRECT:
+         if 'SigAlg' in passed_data:
+             request.session['SigAlg'] = passed_data.get('SigAlg')
+         if 'Signature' in passed_data:
+             request.session['Signature'] = passed_data.get('Signature')
  
  
  @never_cache
***************
*** 233,239 ****
              idp_server = IDP.load()
  
              # Parse incoming request
!             req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding)
  
              # check SAML request signature
              try:
--- 238,247 ----
              idp_server = IDP.load()
  
              # Parse incoming request
!             if binding == BINDING_HTTP_REDIRECT:
!                 req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding, relay_state=request.session.get('RelayState', None), sigalg=request.session.get('SigAlg', None), signature=request.session.get('Signature', None))
!             else:
!                 req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding)
  
              # check SAML request signature
              try:

[MathieuB1]

In my case to get the example working I had to set:

            'sign_response': False,
            'sign_assertion': False,
            'want_authn_requests_signed': False,

to sp.settings.py and idp.settings.py