Menu
I am trying to implement SAML2 SSO, I am getting an error saml2.sigver.SignatureError: Signature missing for response. I am using djangosaml2, in turn using pysaml2. It seems to hit an issue when looking for signature: https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/sigver.py#L1648
Looks like it is trying to find the signature in the Response attributes, however my IDP returns no signature in the response attributes, however signature can be found in the response as its own element ns2:Signature.
Should I be asking my IDP to provide me a different response, or am I missing a configuration option on my side?
Login process started
Trying binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST for IDP None
Redirecting user to the IdP via urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding.
Saving the session_id in the OutstandingQueries cache
Invalid or malformed SAML Assertion.
Traceback (most recent call last):
File "/usr/local/lib/python3.4/dist-packages/djangosaml2/views.py", line 271, in assertion_consumer_service
response = client.parse_authn_request_response(xmlstr, BINDING_HTTP_POST, outstanding_queries)
File "/usr/local/lib/python3.4/dist-packages/saml2/client_base.py", line 712, in parse_authn_request_response
binding, **kwargs)
File "/usr/local/lib/python3.4/dist-packages/saml2/entity.py", line 1150, in _parse_response
response = response.loads(xmlstr, False, origxml=xmlstr)
File "/usr/local/lib/python3.4/dist-packages/saml2/response.py", line 520, in loads
self._loads(xmldata, decode, origxml)
File "/usr/local/lib/python3.4/dist-packages/saml2/response.py", line 342, in _loads
**args)
File "/usr/local/lib/python3.4/dist-packages/saml2/sigver.py", line 1648, in correctly_signed_response
raise SignatureError('Signature missing for response')
saml2.sigver.SignatureError: Signature missing for response
SAML Response:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="..." ID="..." InResponseTo="..." IssueInstant="2018-12-07T10:31:48Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="..." IssueInstant="2018-12-07T10:31:48Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="...">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>...</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>...</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>...</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
...
...
</saml:Assertion>
</samlp:Response>
285
asked Sep 17 '25 08:09
Following the comment by Bernhard, I needed to set "want_response_signed": False
SAML_CONFIG = {
'service': {
'sp': {
"want_response_signed": False
...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With