SAML Google Workspace - Signature missing?

rodehoed · February 15, 2024, 10:44am

Hi,

Since this week we are taking a trial for CheckMK. My part is to get the SAML authentication working. And everytime it seems to be a thing to get it working

We are are using Google Workspace and we have set things up as you might expect. We imported the metadata from Google into the XML form in checkMK.

For people who are struggling. The UserID field should contain: NameID

When I try to login I get the followin error in web.log:

2024-02-15 11:28:24,059 [30] [cmk.web.saml2 63110] Google (GoogleWorkspace) - SignatureError: Signature missing for assertion

Google is sending the following request (edited for some privacy):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://my.host.example/monitoring/check_mk/saml_acs.py?acs" ID="_5d2461a3c9609789c1fd07eabe434351" InResponseTo="id-ud1CYTL4gdb2OwqaU" IssueInstant="2024-02-15T10:28:23.591Z" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C01sd1ygjv</saml2:Issuer>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
   <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
   <ds:Reference URI="#_5d2461a3c9609789c1fd07eabe434351">
    <ds:Transforms>
     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
    <ds:DigestValue>AHDeu01XrntRwWwk9p7neyeWjQ2O8VDLvAEbAzRC3dQ=</ds:DigestValue>
   </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>EGUWJukOVekuACS4WkouC/4cLmMC8CZo1lR934qFx9nns9yoU0sFuLOy5xRYizhFJa1gUM/VvsOE
9uXV+R5/R9GXjtiLxP1+3vrjjyZay/ve0Jzn2aoF9pYwp9v08cDfkuP04Z2zw6+6oWxI1511kb0P
urqYzpaTsCuucpOkYuI8eZ3eyp19p5XTSYBEPhYwkAHgR+OcatPzswAo2ta6tq6d1NSaFsPqGEbW
Nvp12mtnF0UBGlmpmMiC0jQ/ZKGLnnnNDl+NnGkUOCkBt/E8BaWcGNVEYpKY4Htb4QYwPAhw0PdV
89meM/iiUv4JxELvAWueNJ+1bYAbHHAuRRcJmQ==</ds:SignatureValue>
  <ds:KeyInfo>
   <ds:X509Data>
    <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
    <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAYhsboSqMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjMwNTMw
MTEzMjQxWhcNMjgwNTI4MTEzMjQxWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
V8gIzM9+OS7bvuAKB3/hcmuwpGsrNIuaeofIDm99FwhxpH950dWVEToPv51H7WYnOWGRsxzqW262
T5sunz48NkLGTVDP1pek+3Q2gdf0Z3zon9gekIoP2NiEAZ6fFCgHRlQQOZDHVMYN+Jqb7pQOSI6H
9J4RfhXpN3IKpcQdulhnBDyRmsc5DJaH5iJT3Azn4eko</ds:X509Certificate>
   </ds:X509Data>
  </ds:KeyInfo>
 </ds:Signature>
 <saml2p:Status>
  <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
 </saml2p:Status>
 <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_649436fe6ddc8d621813708cca9eafab0" IssueInstant="2024-02-15T10:28:23.591Z" Version="2.0">
  <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C01sdsdxygjv</saml2:Issuer>
  <saml2:Subject>
   <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">j.doe@domain.example</saml2:NameID>
   <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml2:SubjectConfirmationData InResponseTo="id-ud1CYTL5gdb2OwqaU" NotOnOrAfter="2024-02-15T10:33:23.591Z" Recipient="https://my.host.example/monitoring/check_mk/saml_acs.py?acs"></saml2:SubjectConfirmationData>
   </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="2024-02-15T10:23:23.591Z" NotOnOrAfter="2024-02-15T10:33:23.591Z">
   <saml2:AudienceRestriction>
    <saml2:Audience>https://my.host.example/monitoring/check_mk/saml_metadata.py</saml2:Audience>
   </saml2:AudienceRestriction>
  </saml2:Conditions>
  <saml2:AttributeStatement>
   <saml2:Attribute Name="email">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">j.doe@domain.example</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute Name="Firstname">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">John</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute Name="Lastname">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Doe</saml2:AttributeValue>
   </saml2:Attribute>
  </saml2:AttributeStatement>
  <saml2:AuthnStatement AuthnInstant="2024-02-15T10:06:56.000Z" SessionIndex="_649436fe6ddc8d621813708cca9eafab0">
   <saml2:AuthnContext>
    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
   </saml2:AuthnContext>
  </saml2:AuthnStatement>
 </saml2:Assertion>
</saml2p:Response>

Could anyone tell me what is wrong? Because to my knowledge the request is signed.

chauhan_sudhir · February 15, 2024, 9:58pm

(Optional) To indicate that your service provider requires the entire SAML authentication response to be signed, check the Signed Response box. If this is unchecked (the default), only the assertion within the response is signed.

Just quoting this from the Google documentation.
Can you untick checkbox “Signed response” and try again?

rodehoed · February 16, 2024, 8:47am

Hi @chauhan_sudhir ,

After disabling the “sign” option at Google, i’m getting an other error: AttributeError: User ID not found or empty

The manual on Authentication with SAML has this option enabled for Azure tough?

Enabling verbose logging I see:

2024-02-16 09:42:05,992 [20] [saml2.response 193736] Subject NameID: <ns0:NameID xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">j.doe@mail.example</ns0:NameID>
-------------------------snip----------------------
2024-02-16 09:42:05,996 [10] [cmk.web.saml2 193736] Mapping User ID to field NameID
2024-02-16 09:42:05,996 [10] [cmk.web.saml2 193736] User ID not found or empty, value is: None
2024-02-16 09:42:05,996 [30] [cmk.web.saml2 193736] Google (GoogleWorkspace) - AttributeError: User ID not found or empty
2024-02-16 09:42:05,996 [10] [cmk.web.saml2 193736] Authentication failed

Am I overlooking something?

chauhan_sudhir · February 16, 2024, 8:53am

Maybe just try “Email” in the User ID attribute ?

User ID not found or empty
Are you sure you have such a attribute in your Google workspace authentication ?

rodehoed · February 16, 2024, 11:03am

I found the solution in Setup SAML with Google Workspace - #11 by pauloadriano

system · February 15, 2025, 11:04am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.