cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Single sign on configuration is stuck at "Validation" step.

AK
Mentor

Hi Team,

 

Can you help? Our SSO configuration is stuck at "Validation" step.

 

There is message on configuration page "SAML response and assertion is signed/unsigned?"

 

AK_0-1643359495513.png

How do I check if Entire SAML message is signed or nor? I have SAML tracer extension installed. I need to go back to Idp admin and show them an evidence that, SAML message received from Idp is not signed completely. I'm assuming here, the SAML message received from Idp is not fully signed and dynatrace not is showing the above message.

 

Has anyone encountered with similar issue? Please help.

 

Regards,

AK

6 REPLIES 6

kajetan_k
Dynatracer
Dynatracer

Hi,
you need to check if there is a <ds:Signature> element right under <samlp:Response> element.
If not, it means, that the whole Response (whole SAML message) is not signed.

Please note, that if a <ds:Signature> element is only under <saml:Assertion>, then only assertion is signed which is not enough for Dynatrace SSO.

@kajetan_k, adding screenshot of SAML response for https://sso.dynatrace.com/saml2/sp/consumer

I can see <ds:Signature> is showing under assertion. Can you also see the same in screenshot?

 

Regards,

AK

@AK, yes, in the screenshot <ds:Signature> element is under assertion which is wrong - that means that the customer IDP is set to sign only assertions.

Dynatrace SSO requires that the whole message (<samlp:Response>) is signed.

@kajetan_k, Idp team signing assertions and sending out. They are saying, we need to upload the cert at SP (Dynatrace) side to decrypt the request. Any idea if we can do it? I don't see anything like certificate upload. Can you please help.

 

Regards,

AK

@AK , I'm not sure that I understand the request. Please advise the customer to read https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and... and if something is not clear, to contact Dynatrace Support.

AK
Mentor

@kajetan_k,

You were right. Response (whole SAML message) is not signed. Validation was successful, after enabling the signature for response as well.

Thank you for your help.

 

Regards,

AK