Unable to create the correct signature for SAML response

4
votes

I am using go-saml library in our project to enable SSO in which the service provider will be Salesforce and Identity Provider will be the Golang code. Golang code will first verify the user then it will create a SAML response to allow the user to login to Salesforce. I am new to Golang and following Creating a SAML Response (if acting as an IdP) of this library. So, far I am able to create a SAML response using it but facing some challenges in customizing it as per the requirement.

  1. The first challenge I was facing is to add AudienceRestriction in the Conditions block as below:-

<saml:Conditions NotBefore="2020-03-15T16:33:16.23103491Z" NotOnOrAfter="2020-03-15T16:43:16.23104017Z"> <saml:AudienceRestriction> <saml:Audience>https://saml.salesforce.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions>

I have tried to add it like below in the code, but it seems AudienceRestrictions is not defined in Conditions object.

authnResponse := saml.NewSignedResponse() authnResponse.Conditions.AudienceRestrictions = "https://saml.salesforce.com"

I don't find any way to add the above block in the Conditions block which is mandatory for Salesforce. Please suggest me some way to do so.

  1. I also have to add AuthnStatement below the conditions block as below:-

<saml:AuthnStatement AuthnInstant="2020-03-01T11:28:31.396Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement>

  1. Even after manually adding the above blocks in the SAML response, I am getting the below error while validating the SAML response using the Salesforce SAML validator

Validating the Signature... Is the response signed? true
Is the assertion signed? false
The reference in the response signature is valid
Is the correct certificate supplied in the keyinfo? true

Signature or certificate problems
The signature in the response is not valid

I have generated a Public key(self-signed .pem certificate) and a Private key. After that, I have uploaded the public key to the Salesforce and using private and public keys to inside the code for generating SAML response. I have no idea why I am getting Signature Invalid error. Please let me know if you have any suggestions for me.

In case you want to check my Golang code - https://play.golang.org/p/U9dXZblTHG1

1
gosingle-sign-onsamlsaml-2.0xml-signature

1 Answers

3
votes
  1. Audience can be added via a provided function:
authnResponse := saml.NewSignedResponse()
authnResponse.AddAudienceRestriction("https://saml.salesforce.com")
  1. Authentication context can be added via another function:
authnContext := "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
sessionIndex := "session_1"
authnResponse.AddAuthnStatement(authnContext,sessionIndex)

As a suggestion, try a more mature, established library such as OpenSAML or simpleSAMLphp to generate your SAML response. If that works but go-saml doesn't, then you have something to go on for your next steps. On the other hand, if the assertion you generate via another method also fails, then it's likely an issue with whatever you're doing with keys or assertion content rather than the library.