Yes, sorry, I should have mentioned that. I am using a different SP - Shibboleth SP v2.5.2.
We did test this using a PL SP as well. The issue does not come up when both IdP and SP are PL. The reason it seems to not effect it is that the PL SP is creating a Redirect binding AuthnRequest where the signature is embedded in the xml of the AuthnRequest, instead of being placed in a separate parameter named 'Signature'.
Shibboleth SP places it in a separate param (for Redirect binding), not in the xml, and thus the signature is not found.
For what it's worth, the saml2 binding spec seems to indicate that the Signature should not be in the xml, it should be in a parameter: (section 3.4.4.1, line 608 of saml-bindings-2.0):
The signature value MUST be encoded using the base64 encoding (see RFC 2045) with any whitespace removed, and included as a query string parameter named Signature.
Let me know if you want me to provide the xml or query string data. For now we are using POST binding for login and are avoiding this issue entirely.
Of note this probably also implies that a PL SP using Redirect binding would not work with the Shib Idp if signature are in use, so it might be worth addressing at some point.
|