Summary

How can you make sure that Aqua validates the signature within the SAML response after integrating Aqua with your Identify Provider.


Problem


After configuring and integrating Aqua with your Identity Provider for SAML authentication, a common issue is that Aqua is unable to validate the signature within the SAML Response.  You may see an error message during the authentication attempt, similar to this example: 



Error message text:

SAML SSO authentication failed: SAMLResponse validation: error verifing signature: exit status 1



Cause

This problem occurs as a result of the stored Identity Provider public certificate (within the Aqua configuration) not matching the signature contained in the SAML Response XML.  This can often be the result of an improperly formatted certificate, or attempting to use the wrong public certificate. 


Solution

Improper certificate formatting

Extra characters or incomplete headers may cause Aqua to improperly read the provided certificate.  Whether your certificate contains headers, or just the raw certificate data, it may be beneficial to pass the certificate through an x509 certificate formatting tool like this one.  This will add proper headers and ensure that the certificate is standardized and readable by most x509 consumers. 


Manually confirm that the certificate can be read

Use a tool like the OpenSSL command line utility to check that the certificate is complete. 

openssl x509 -in idp_public_key.crt -text -noout


Confirm that the certificate is for token signing

Your Identity Provider may employ multiple certificates for elements such as encryption, TLS, or token signing.  Be sure to export or download the proper certificate used for SAML XML signatures.  This may vary between different client configurations within the Identity Provider.  


Once you have confirmed the three checks above, and the certificate is properly formatted, you can then attempt to paste the certificate data into the X509 Certificate field under the SAML Authentication integration page and perform another SAML login.