無効な SAML 応答の受信: シグネチャの検証に失敗しました。SAML 応答は拒否されました。

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

After setting up SAML using the built-in SAML plugin in Confluence Data Center, your users are unable to authenticate and login and receive the following message in the browser: 

  • We had trouble logging you in. We can't log you in right now. This may be for a variety of reasons, we suggest trying again. If that doesn't work, contact your Confluence administrator for help.

診断

環境

  • Confluence Data Center 6.1.x and above
  • Using the built-in SAML plugin
  • Users cannot login after setting up SAML in Confluence and in the IdP 

Log Messages

  • After the first failed attempt where you receive the error in the above screenshot, add logging for com.atlassian.plugins.authentication with a level of ALL, then reproduce the issue in your browser.
  • You should see something similar to this error (your IdP URL will vary) in <confluence-home>/logs/atlassian-confluence.log

    ERROR ... Received invalid SAML response: Signature validation failed. SAML Response rejected
    -- referer: http://example.com/pingfederate/idp/startSSO.ping?PartnerSpId=https://confluence.example.com | url: /plugins/servlet/samlconsumer | traceId: d8d652948ef10fa1 | userName:
    anonymous
    com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Signature validation failed. SAML Response rejected

原因

There are two possible causes:

原因 1

Mismatch with the X509 certificate used for signing (the certificate configured in Confluence doesn't match the one used by the IdP).

原因 2

IdP's default is to sign the entire response. The SAML module that Confluence is using is expecting only the assertion portion of the SAML response to be signed. 

ソリューション

For cause #1:

Check that the X509 certificate configured in Confluence is the same as the one the IdP uses, which you can retrieve from the SAML response or directly from the IdP. If they don't match, modify the SAML configuration in Confluence with the correct certificate. 

For cause #2:

In federation systems, the IdP has the ability to sign the entire response or just the assertion portion of the response (see screenshot below). Configure the IdP to sign only the assertion portion of the SAML response.

Example from PingFederate:


最終更新日 2021 年 5 月 10 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.