FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Encountering certificate issue causing customers to be locked out

    Scheduled Pinned Locked Moved
    General Discussion
    2
    2
    17
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      john.spellman
      last edited by

      Good morning, I'm hoping I can provide enough information here to get some help. Maintaining FA is all very new to me so please bare with me.

      One of our customers recently decided they wanted to rotate their certificates for their test environment. They sent us an XML file and I extracted the value in the "X509Certificate" tag, then went into Settings > Key master and created a new Certificate using that value. After I set this new key as the verification Key for the customers Identity Provider in FA, they received the following error message:

      Unable to parse or validate SAML response.


Exception:
io.fusionauth.samlv2.domain.SAMLException: Unable to verify XML signature in the SAML v2.0 XML. The signature was unmarshalled but we couldn't validate it. Possible reasons include a key was not provided that was eligible to verify the signature, or an un-expected exception occurred.

      Clearly I've screw up somewhere along the way, but I have no idea where. Did I create the wrong certificate type or did the settings get out of synch somehow? Users were able to log in without issue until the customer rotated their certificates.

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @john.spellman
        last edited by

        @john-spellman, Can you let us a bit more about how you created the key? Which option did you choose to import? Which certificate type did you use? You could try different types.

        Anything you can tell us about which Identity Provider you created and what the architecture looks like will help. Is FusionAuth the IdP/SP or both?

        Also, If you can share the settings of you SAML tab for the application (without sharing secrets), that may give us some insight to the issue as well, if you are using FusionAuth as an IdP.

        I don't have a ton of experience with importing certificates, so if anyone out there knows better, please feel free to chime in.

        I have set up a key for a SAML provider before and using an RSA/RS256 type key. I generated that key with FusionAuth, but I don't see any reason you couldn't import the key you need.

        You may want to check out this blog to test a simple SAML configuration if your situation reflects the setup.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post