SAML login was unsuccessful because an error occurred while decrypting the response


#1

I am currently attempting to get SAML authentication set up w/ my internal identity provider. I have everything configured and a properly formatted SAML response is returned from the Identity prover, but I get the following error in the UI:

Error. SAML login was unsuccessful because an error occurred while decrypting the response from the Identity Provider. Please contact your System Administrator.

And the corresponding error in the logs:
[2018/05/12 04:10:51 UTC] [EROR] /login/sso/saml:SamlInterfaceImpl.DoLogin code=302 rid=xxxxxxxxxxxxx uid= ip=xx.xx.xx.xx SAML login was unsuccessful because an error occurred while decrypting the response from the Identity Provider. Please contact your System Administrator. [details: err=exit status 1 : ]

Is there any way to dig more into what is generating the errors? I have everything set to DEBUG level however, there seem to be no additional logs that can disambiguate the decryption error that is occurring.

I have installed the xmlsec1 package on the host and am running version 4.9.0. This is running on RHEL 6.5.

Any suggestions on this would be appreciated!


#2

I just ran into this yesterday with another customer, and filed https://mattermost.atlassian.net/browse/MM-10595 to fix the xmlsec1 STDERR logging.

If you had the ability to extract the SAML exchange, you might be able to run the xmlsec1 command manually in a bid to see the raw STDERR output. I’ve had some good success with Burp Suite (Community Edition) to intercept requests, but I’ve only used the tool lightly.


#3

Thanks Jesse - The issue ended up being the IDp returning keys with a peer key placement, rather than inline. Thanks for logging the issue!