使用SAML和身份提供程序（IdP）时遇到困难

Question

I'm not sure how to state this question since I don't know exactly what the problem is.

There is a third party company that functions as the SP of a SSO structure.

They have little documentation on setting up a IdP to make SSO work with them, and I have never done anything like this before.

I set up a certificate that I'm using to generate the digital signature for the SAML, and uploaded the very same key to this company's website so that they can understand the response from my IdP.

When I send the SAML response to them though, I'm getting a generic error saying that the SSO response was invalid. Looking at their documentation, the description for this error is:

We were unable to validate the SAML response. This can be caused by an invalid digital signature, possibly due to non-matching public/private keys between the IdP and SP. It can also be caused by an invalid Audience or Valid Time Window (NotBefore and NotOnOrAfter) specified in the response.

What I'm more concerned about is the "invalid digital signature", because looking at the SAML response I'm sending, the audience is what they require it to be, the time window is fine, and I'm sure I'm using the same key for generating the SAML and also for the one I sent them.

I might be wrong about a bunch of things, but my question is, how do I make sure my digital signature is valid and properly formatted and formed?

If you are an SAML expert, see if my SAML looks reasonable:

Tried to post SAML here, didn't work, but if you think that looking at it would be useful let me know.

I'm using WIF to generate the SAML, and I was wondering if the digest and signature algorithms would affect this error.

Well, any help and thoughts are welcome!

Answer 1

您不应该使用SP的公钥来加密发送到SP的信息吗？