28 Jan 2022 12:51 AM - last edited on 31 Jan 2022 02:23 AM by MaciejNeumann
Can you help? Our SSO configuration is stuck at "Validation" step.
There is message on configuration page "SAML response and assertion is signed/unsigned?"
How do I check if Entire SAML message is signed or nor? I have SAML tracer extension installed. I need to go back to Idp admin and show them an evidence that, SAML message received from Idp is not signed completely. I'm assuming here, the SAML message received from Idp is not fully signed and dynatrace not is showing the above message.
Has anyone encountered with similar issue? Please help.
Solved! Go to Solution.
you need to check if there is a <ds:Signature> element right under <samlp:Response> element.
If not, it means, that the whole Response (whole SAML message) is not signed.
Please note, that if a <ds:Signature> element is only under <saml:Assertion>, then only assertion is signed which is not enough for Dynatrace SSO.
@kajetan_k, adding screenshot of SAML response for https://sso.dynatrace.com/saml2/sp/consumer
I can see <ds:Signature> is showing under assertion. Can you also see the same in screenshot?
@AK, yes, in the screenshot <ds:Signature> element is under assertion which is wrong - that means that the customer IDP is set to sign only assertions.
Dynatrace SSO requires that the whole message (<samlp:Response>) is signed.
@kajetan_k, Idp team signing assertions and sending out. They are saying, we need to upload the cert at SP (Dynatrace) side to decrypt the request. Any idea if we can do it? I don't see anything like certificate upload. Can you please help.
@AK , I'm not sure that I understand the request. Please advise the customer to read https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and... and if something is not clear, to contact Dynatrace Support.
You were right. Response (whole SAML message) is not signed. Validation was successful, after enabling the signature for response as well.
Thank you for your help.