28 Jan 2022 08:51 AM - last edited on 31 Jan 2022 10:23 AM by MaciejNeumann
Hi Team,
Can you help? Our SSO configuration is stuck at "Validation" step.
There is message on configuration page "SAML response and assertion is signed/unsigned?"
How do I check if Entire SAML message is signed or nor? I have SAML tracer extension installed. I need to go back to Idp admin and show them an evidence that, SAML message received from Idp is not signed completely. I'm assuming here, the SAML message received from Idp is not fully signed and dynatrace not is showing the above message.
Has anyone encountered with similar issue? Please help.
Regards,
AK
Solved! Go to Solution.
28 Jan 2022 10:28 AM
Hi,
you need to check if there is a <ds:Signature> element right under <samlp:Response> element.
If not, it means, that the whole Response (whole SAML message) is not signed.
Please note, that if a <ds:Signature> element is only under <saml:Assertion>, then only assertion is signed which is not enough for Dynatrace SSO.
28 Jan 2022 11:40 AM
@kajetan_k, adding screenshot of SAML response for https://sso.dynatrace.com/saml2/sp/consumer
I can see <ds:Signature> is showing under assertion. Can you also see the same in screenshot?
Regards,
AK
28 Jan 2022 11:53 AM - edited 28 Jan 2022 11:54 AM
@AK, yes, in the screenshot <ds:Signature> element is under assertion which is wrong - that means that the customer IDP is set to sign only assertions.
Dynatrace SSO requires that the whole message (<samlp:Response>) is signed.
28 Jan 2022 01:35 PM
@kajetan_k, Idp team signing assertions and sending out. They are saying, we need to upload the cert at SP (Dynatrace) side to decrypt the request. Any idea if we can do it? I don't see anything like certificate upload. Can you please help.
Regards,
AK
28 Jan 2022 01:39 PM
@AK , I'm not sure that I understand the request. Please advise the customer to read https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and... and if something is not clear, to contact Dynatrace Support.
31 Jan 2022 11:40 AM
You were right. Response (whole SAML message) is not signed. Validation was successful, after enabling the signature for response as well.
Thank you for your help.
Regards,
AK