Forum Stats

  • 3,733,814 Users
  • 2,246,824 Discussions
  • 7,856,883 Comments

Discussions

WebLogic 12.2.1.4 throws [Security:096525]Signature required but assertion is not signed. SAML2

Luis Rodriguez Fernandez
Luis Rodriguez Fernandez Member Posts: 108 Blue Ribbon
edited March 30 in WebLogic

Hello there,

I have WebLogic 12.2.1.4 configured as a Service Provider [1]. My Identity Provider [2] sends the response using rsa-sha256 as the signature method, see this gist [3]. I've seen a similar problem in the support portal [4]. This WebLogic version should be using SHA-256 for signing the auth requests and responses, shouldn't it understand SHA256 signatures then? I must be missing something...

Any thoughts on this?

Thanks in advance,

Luis


[1] https://docs.oracle.com/en/middleware/fusion-middleware/weblogic-server/12.2.1.4/wlach/taskhelp/security/ConfigureSAML20ServiceProviderServices.html

[2] https://www.keycloak.org/

[3] https://gist.github.com/lurodrig/5e2959779d4d53b092d45d7ff46a8eaf

[4] https://support.oracle.com/knowledge/Middleware/2386440_1.html

Answers

  • Luis Rodriguez Fernandez
    Luis Rodriguez Fernandez Member Posts: 108 Blue Ribbon

    Hello there,

    It turns out that it is nothing to do with the SHA-256 algorithm as such, but where the signature is located inside the SAMLResponse. The "Only Accept Signed Assertions" flag does what it promises so if the signature is not inside of the <Assertion> element of the response, WebLogic will not accept it.

    Conclusion: 12.2.1.4 works perfect with SHA-256 signatures.

    Hope it helps,

    Luis

Sign In or Register to comment.