Skip to content

Validate all AzureMFA metadata certificates #214

New issue
New issue
Open
Bug
Open
Validate all AzureMFA metadata certificates#214
Bug
Assignees
phavekes
Labels
azure mfa as token
@phavekes

Description

@phavekes
phavekes
opened on Sep 5, 2025

Related to #194

During certificate renewal at the entra endpoint, multiple certificates will be present in the metadata, and wil be cached in the federation_metadata url:

{
    "updated": "2025-09-05T15:26:04+02:00",
    "entity_id": "https:\/\/sts.windows.net\/02bedb7d-074e-4f81-bfcd-502700553074\/",
    "sso_location": "https:\/\/login.microsoftonline.com\/02bedb7d-074e-4f81-bfcd-502700553074\/saml2",
    "certificates": [
        "MIIC8DCCAdigAwIBAgIQKVtnSWeKXbNFYenJBEtWaTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNTA5MDMwODU2MzJaFw0yODA5MDMwODU2MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2vC3or64bwNKIjQGV4iHC0UAsVCxcBHsMBp\/GaB9\/NB7cbBCXyKMN7vKuR0eaAb2BQjd9+ss7FOWL22j6h2zxWL8qiw6URf3z2HQF+th0Tf31vLngIVYAJ\/5xDpRx8Ogb2Ld+CHxB2Ph38IMUDMTmL6Iw1NIR4OdictyMO36CO2MMjaCCpaCDWN53lCxLkUTqNGBNqOMWy8DAUexefRAs49Z\/V6xNFLSJekviI9seAWJxfQlbdKPlRs\/b6\/6mFUAupurTnYr3+3lzlQEAyjTtpx9ihmLsIPuD21bsjB\/cgTHrEZdxWeHQvXS4cnNF0MHyyvKb67qiGbTeCJOl9bNQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCOSASVPfb1sWy+cE8U74uJHtlelr8\/TCjtRgG9iB41OVEsh590c\/gCLQLk8RGUaAtbz0927uJSatcTEdoKdGf9TNi9kcFK7keiFdP1czCXH\/oVNpYlC1j8OF1gY0J6BvuiED+U4xurtyVaJsnTdhzzkZsHzDb4q+RSyJMajMa77Fnvq7BJ5WlOPLrZlGUTuHaDLQJcCdvJiEJFxaGEVAldBXYY1iZb24WMe6j2jQI0S8wHjGkpmabOlShcUKdgi5dxsTkHyvTDPjNg7jw7TztifJP8X\/bGtVFdpJ8AK4PAuBq\/MHcdXlvLUx1icLfaqUhEdnaV68Gij0pOK35eSavb",
        "MIIC8DCCAdigAwIBAgIQV5f3vqfFWKtKxSnvuMlgvzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNTA5MDUxMzIyNDBaFw0yODA5MDUxMzIyMzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9MZ7PdFuuJDE\/jFBN6JdfoSb2LS5uBPNS3My8V7TtcG+pGa4Ty5WP2Y0JbRPEMrN+ddccTlb0Elk\/eA7mnXyElqo8ktfPCcuA26ek9hBnassyC\/5jE9TShO2YVGZsRC0dbigBGGVzmhsiiWz\/pRgBdt5bMYlJJmV02Cl2uD7may7yRfeIqv9SW9OJG58Q5hvyxVWeR2T79as9nOn\/XqdM+p\/KYjkzMsB1Mx10zCBV1+0BxNe9raAJibA2JoAFhiZ01KrFeqcRUjR619WxqToVLOr4sC\/00KQufuKROD34XzC1+HQPbn\/7Q1zVXvjiKmGA33QrzOc9CmtTwKwtghpcQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDIfAX12Ee72yN3qzl4xl1EuwhveWIKGpqeJ15JZ0yCQy6zCJCiBzFMbBU4PeO4aE95vHk1dD2mIZfjA3\/TFeZ8VuyIL2M7e18LBxrJHIwq8UxNhch7yoh0K2FMXAIMFxvbuxjU1qznQRJLNt+9idWg7QFv+0sAEWP2CAY4jLTHie1ZWLFndwzRnPFOX52S2py2OxpRdT1XKwLyynCU3DuwW\/xIziGrNSKbouUV4StrlEwh7YBE+vi6EBAVb4F6BHWavNfhEy57Jt0GkSpmPNb+U5xxhbajPoomWRaLeNx\/O8wHdABflhyKndUh1aysRdkCb4FEDzgcej\/boHazuP9s"
    ],
    "is_azure_ad": true
}

All these certificates should be used when validating the assertion. Currently only #0 is used for validation :

Sep  5 15:26:04 docker1.test2.ams.surfconext.nl azuremfa[905]: {"message":"Caching identity provider for institution: peulmeul.onmicrosoft.com with values https://sts.windows.net/02bedb7d-074e-4f81-bfcd-502700553074/, https://login.microsoftonline.com/02bedb7d-074e-4f81-bfcd-502700553074/saml2, MIIC8DCCAdigAwIBAgIQKVtnSWeKXbNFYenJBEtWaTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNTA5MDMwODU2MzJaFw0yODA5MDMwODU2MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2vC3or64bwNKIjQGV4iHC0UAsVCxcBHsMBp/GaB9/NB7cbBCXyKMN7vKuR0eaAb2BQjd9+ss7FOWL22j6h2zxWL8qiw6URf3z2HQF+th0Tf31vLngIVYAJ/5xDpRx8Ogb2Ld+CHxB2Ph38IMUDMTmL6Iw1NIR4OdictyMO36CO2MMjaCCpaCDWN53lCxLkUTqNGBNqOMWy8DAUexefRAs49Z/V6xNFLSJekviI9seAWJxfQlbdKPlRs/b6/6mFUAupurTnYr3+3lzlQEAyjTtpx9ihmLsIPuD21bsjB/cgTHrEZdxWeHQvXS4cnNF0MHyyvKb67qiGbTeCJOl9bNQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCOSASVPfb1sWy+cE8U74uJHtlelr8/TCjtRgG9iB41OVEsh590c/gCLQLk8RGUaAtbz0927uJSatcTEdoKdGf9TNi9kcFK7keiFdP1czCXH/oVNpYlC1j8OF1gY0J6BvuiED+U4xurtyVaJsnTdhzzkZsHzDb4q+RSyJMajMa77Fnvq7BJ5WlOPLrZlGUTuHaDLQJcCdvJiEJFxaGEVAldBXYY1iZb24WMe6j2jQI0S8wHjGkpmabOlShcUKdgi5dxsTkHyvTDPjNg7jw7TztifJP8X/bGtVFdpJ8AK4PAuBq/MHcdXlvLUx1icLfaqUhEdnaV68Gij0pOK35eSavb MIIC8DCCAdigAwIBAgIQV5f3vqfFWKtKxSnvuMlgvzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNTA5MDUxMzIyNDBaFw0yODA5MDUxMzIyMzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9MZ7PdFuuJDE/jFBN6JdfoSb2LS5uBPNS3My8V7TtcG+pGa4Ty5WP2Y0JbRPEMrN+ddccTlb0Elk/eA7mnXyElqo8ktfPCcuA26ek9hBnassyC/5jE9TShO2YVGZsRC0dbigBGGVzmhsiiWz/pRgBdt5bMYlJJmV02Cl2uD7may7yRfeIqv9SW9OJG58Q5hvyxVWeR2T79as9nOn/XqdM+p/KYjkzMsB1Mx10zCBV1+0BxNe9raAJibA2JoAFhiZ01KrFeqcRUjR619WxqToVLOr4sC/00KQufuKROD34XzC1+HQPbn/7Q1zVXvjiKmGA33QrzOc9CmtTwKwtghpcQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDIfAX12Ee72yN3qzl4xl1EuwhveWIKGpqeJ15JZ0yCQy6zCJCiBzFMbBU4PeO4aE95vHk1dD2mIZfjA3/TFeZ8VuyIL2M7e18LBxrJHIwq8UxNhch7yoh0K2FMXAIMFxvbuxjU1qznQRJLNt+9idWg7QFv+0sAEWP2CAY4jLTHie1ZWLFndwzRnPFOX52S2py2OxpRdT1XKwLyynCU3DuwW/xIziGrNSKbouUV4StrlEwh7YBE+vi6EBAVb4F6BHWavNfhEy57Jt0GkSpmPNb+U5xxhbajPoomWRaLeNx/O8wHdABflhyKndUh1aysRdkCb4FEDzgcej/boHazuP9s","context":{},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-09-05T15:26:04+02:00","extra":{"server":"azuremfa.test2.surfconext.nl","application":"azure-mfa","request_id":"9604ca8d53c9c9284f7a7515dba25182"}}
Sep  5 15:26:04 docker1.test2.ams.surfconext.nl azuremfa[905]: {"message":"Reprocess the SAML Response after updating the metadata","context":{},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-09-05T15:26:04+02:00","extra":{"server":"azuremfa.test2.surfconext.nl","application":"azure-mfa","request_id":"9604ca8d53c9c9284f7a7515dba25182"}}
Sep  5 15:26:04 docker1.test2.ams.surfconext.nl azuremfa[905]: {"message":"SAMLResponse with id \"_8fcb0cd7-10b9-45ee-859d-f625ae7b99a6\" was not signed at root level, not attempting to verify the signature of the reponse itself","context":{},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-09-05T15:26:04+02:00","extra":{"server":"azuremfa.test2.surfconext.nl","application":"azure-mfa","request_id":"9604ca8d53c9c9284f7a7515dba25182"}}
Sep  5 15:26:04 docker1.test2.ams.surfconext.nl azuremfa[905]: {"message":"Verifying signature of Assertion with id \"_ee608cee-4a65-4863-a9d2-5705d9db4300\"","context":{},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-09-05T15:26:04+02:00","extra":{"server":"azuremfa.test2.surfconext.nl","application":"azure-mfa","request_id":"9604ca8d53c9c9284f7a7515dba25182"}}
Sep  5 15:26:04 docker1.test2.ams.surfconext.nl azuremfa[905]: {"message":"Validating the signed element with validator of type \"SAML2\\Signature\\PublicKeyValidator\"","context":{},"level":100,"level_name":"DEBUG","channel":"app","datetime":"2025-09-05T15:26:04+02:00","extra":{"server":"azuremfa.test2.surfconext.nl","application":"azure-mfa","request_id":"9604ca8d53c9c9284f7a7515dba25182"}}
Sep  5 15:26:04 docker1.test2.ams.surfconext.nl azuremfa[905]: {"message":"Validation with key \"#0\" failed with exception: Unable to validate Signature","context":{},"level":100,"level_name":"DEBUG","channel":"app","datetime":"2025-09-05T15:26:04+02:00","extra":{"server":"azuremfa.test2.surfconext.nl","application":"azure-mfa","request_id":"9604ca8d53c9c9284f7a7515dba25182"}}
Sep  5 15:26:04 docker1.test2.ams.surfconext.nl azuremfa[905]: {"message":"The authentication or registration failed. Rejecting the Azure MFA response. Error message: \"Unable to validate Signature\"","context":{},"level":400,"level_name":"ERROR","channel":"app","datetime":"2025-09-05T15:26:04+02:00","extra":{"server":"azuremfa.test2.surfconext.nl","application":"azure-mfa","request_id":"9604ca8d53c9c9284f7a7515dba25182"}}

Metadata

Metadata

Assignees

Labels

azure mfa as token

Type

Bug

Projects

PHP development

Status

Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions