SAML auth on joplin server using casdoor fails FAILED_TO_VERIFY_SIGNATURE: POST /api/saml

[fritman1]

Operating system

Linux

Joplin version

server-latest Image tag 3.5.2

Desktop version info

No response

Current behaviour

1. Send the SAML query and redirect to my Casdoor idp
2. Blank page upon successful login granting me no access

Expected behaviour

Accessing joplin through saml smoothly

Logs

FAILED_TO_VERIFY_SIGNATURE: POST /api/saml

here are the relevant .xml files

Configuration :

SP.xml

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="Joplin">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://joplin.mydomain.com/api/saml" index="1" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

IDP.xml

<EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://casdoor.mydomain.com">
    <IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#">MIIE3TCCAsWgAwIBAgIDAeJAMA0GCSqGSIb3DQEBCwUAMCgxDjAMBgNVBAoTBWFkbWluMRYwFAYDVQQDEw1jZXJ0LWJ1aWx0LWluMB4XDTI2MDEwNDE0NTI1N1oXDTQ2MDEwNDE0NTI1N1owKDEOMAwGA1UEChMFYWRtaW4xFjAUBgNVBAMTDWNlcnQtYnVpbHQtaW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCXPyaAFGQroQ+AR40lk6i9lWz0Vn07rarZnlm8t6hoy0tpqJSQa6Em5DVnI6qY6zUyHogcbwt+dvlHBXzDa1qsc6hwq0IouszbmYMTx7OybKYF13hH0iMvpUZRW+uWU3ovyNsbGs+Cr7yNkDMtim/h0K2Gv2+92xQoP8sXR0UjpLKkPOjFd5oyBPXp5QLZWST6Aa5DkQ1sdxyfygo9BvKdrkIx3GkUwRZStSmsCPtaN7FfC2bU1seY4Z74aMXZtf9TgRA9+y4Kk6y+oIOunLcw1vGe8cn9GDJWUzz8AwYJnhAXTud98zgRxZY+lQYSC21IgeJ5VnBKigtwKM4EsIdCm/CDShKLrcRf5wNQ300ejp+gW1RVWmDfRFM2UPBRR4UgKxRD8pxIQB7pc1KXodiohkwmF1oowzZf1Ltq8xWhNbo+4o++bTFp7lUHih3etE45Nu/5MYc/k5VPdpHLBjSJVnAMZJBhjDOY9+Uvqex0KgFtyf65qxnVWZCIlrt/C5UhDkaoQ8fQCL9jOOP3ncbaL4fUsF4xQ26VneiTEv/gewWtcLY0wXCwuUUbwsL9KSwFa86YFlSdAPw2b7drOacx8ERmH3XliK03q97Sqzc9/KzYoEzd+k/+n1gbkizi2KGjAY7WWGvxwFpt5qRs11oAC8/qTL4ELhK9wO0py09mEwIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQB85Q1voYTw/R8YYDQQqmZeRITfDnACojmpQbmF5F1xqHQ1E/bNvBj08ovK73nvKaS/2il83lkDzWFzcSol96/xwQ93YCm3T/Y08DhzObKujVreyFj4n3kPacF7lSNVOYjjK4V1FqAwc1AOzrcuo0Xc7w9UbjdsypUM/v7kgto4ECOXH0RM3p205latrLJ1ALeRy9CadNyYYjv05LI9v0b77H6Ue6Jo8nButGVLElrB0aCx5zdiZpVlMLjc+OkZlX7TDTlucdTNqQxr6wIfiA5sKirb5TmY1cVu6FIX53M1Vx0pffR1ywW93//oObYhG4UfTKBota9A9vmf4Ch8hJD36UbrNbpBb/d6TwlyFjCumEJUfQKHGcDW3hgL5BDCNyqo3RUbCXaRJ8uqyMZHIOZX8P27IcnjQ/Lk8WkhXyJoHHfAr3iwqNIqT8uwSIqQmz0dwN7wKmLTLwm8Y0MODfo6/CoKRi0hbSho4ifm9UnCZLzmvs6Z3mK00v5v5QgANBreem7GzBHOgpw1F0fHr/4fAS8OInEAso4QehhYwJC0rGpHjEKVueaxO+IxgIQrvOD0wBVtmoqynM/oS4blLHrYl1ZRW1d7t9RbuaJpyHxshZgmrs8Ck3a4qTIEbHhsV1iw8cveUjnWRClGRz4xaT+gtWtxfaeh/RDHCXCelcCq4g==</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casdoor.mydomain.com/api/saml/redirect/admin/Joplin"/>
        <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="E-Mail"/>
        <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="DisplayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="displayName"/>
        <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Name"/>
    </IDPSSODescriptor>
</EntityDescriptor>

saml answer :

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://joplin.mydomain.com/api/saml" ID="_8d115f49-0364-44d5-b8d1-bae034763bc7" InResponseTo="_511ac5e8-36da-4534-9972-0975b2381e10" IssueInstant="2026-04-05T15:00:18Z" Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://casdoor.mydomain.com</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_8d115f49-0364-44d5-b8d1-bae034763bc7">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>Q0eBL8/kfabsMgAezR576djK++Yzujkrb/E2EO7eH60=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>f/898LQQFx2yg1PrwGJBIecEPWyQkJGgsjZgBmJHctwYJBS19Jih3ntD9mBXrp69288GKQuCN7okb+F46dC0+Jy/zjHdgCBKr8UbwXQn09qOv8eSztABkejZHN9RuBc+Lcf32SsEa7SBMlNP5/UV7YzG4t8UQY/zVc5QUUrWOqJz4MWoFGqtnBkenR03bKvteNqzTElJGArMTcMl5Icv37L5HYrG9UCl8FkLeVF8qG9Odfb2xohEGJCEPdr/pogX2T2YGnjrPhDbuJ8yBJWA3kgv0+J00B86AumY160fNX+wKmlrkC5Tfd59Pql/MzaYLCfXHHtKNVDWyB9JHlggD3/c5OOCQfskKV+aqNh6Zk8bgRwZJ0S00piP0txLOSiCWmsMwy2km0tQKt31XdTPn/kvFrQnBGUYZ+c1xoWBI1fgZ7ZuU38Wxc4fSv9YBh5EMgWFGGtoPmK5NX0baFJi8WvVHhz6wL+Haelwk6epbvuSJHaFxz7flkseA3fm2SHCYBi/J4w9N9mMrwIWH610u8KbhbS9lXyTsjQLATU6mUgm2IkPMSKtdJKw2nrN3/+6ZIMCJwq624VTDAW9kXwZTnMbwdpuJm6RsOMFOPUxH3JIVhgpwh8Lq+mEgXXxZz03cVRm1M9jPkRvbTMhmO6WRNydq0On3HF4RCr1Y46kD08=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIE3TCCAsWgAwIBAgIDAeJAMA0GCSqGSIb3DQEBCwUAMCgxDjAMBgNVBAoTBWFkbWluMRYwFAYDVQQDEw1jZXJ0LWJ1aWx0LWluMB4XDTI2MDEwNDE0NTI1N1oXDTQ2MDEwNDE0NTI1N1owKDEOMAwGA1UEChMFYWRtaW4xFjAUBgNVBAMTDWNlcnQtYnVpbHQtaW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCXPyaAFGQroQ+AR40lk6i9lWz0Vn07rarZnlm8t6hoy0tpqJSQa6Em5DVnI6qY6zUyHogcbwt+dvlHBXzDa1qsc6hwq0IouszbmYMTx7OybKYF13hH0iMvpUZRW+uWU3ovyNsbGs+Cr7yNkDMtim/h0K2Gv2+92xQoP8sXR0UjpLKkPOjFd5oyBPXp5QLZWST6Aa5DkQ1sdxyfygo9BvKdrkIx3GkUwRZStSmsCPtaN7FfC2bU1seY4Z74aMXZtf9TgRA9+y4Kk6y+oIOunLcw1vGe8cn9GDJWUzz8AwYJnhAXTud98zgRxZY+lQYSC21IgeJ5VnBKigtwKM4EsIdCm/CDShKLrcRf5wNQ300ejp+gW1RVWmDfRFM2UPBRR4UgKxRD8pxIQB7pc1KXodiohkwmF1oowzZf1Ltq8xWhNbo+4o++bTFp7lUHih3etE45Nu/5MYc/k5VPdpHLBjSJVnAMZJBhjDOY9+Uvqex0KgFtyf65qxnVWZCIlrt/C5UhDkaoQ8fQCL9jOOP3ncbaL4fUsF4xQ26VneiTEv/gewWtcLY0wXCwuUUbwsL9KSwFa86YFlSdAPw2b7drOacx8ERmH3XliK03q97Sqzc9/KzYoEzd+k/+n1gbkizi2KGjAY7WWGvxwFpt5qRs11oAC8/qTL4ELhK9wO0py09mEwIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQB85Q1voYTw/R8YYDQQqmZeRITfDnACojmpQbmF5F1xqHQ1E/bNvBj08ovK73nvKaS/2il83lkDzWFzcSol96/xwQ93YCm3T/Y08DhzObKujVreyFj4n3kPacF7lSNVOYjjK4V1FqAwc1AOzrcuo0Xc7w9UbjdsypUM/v7kgto4ECOXH0RM3p205latrLJ1ALeRy9CadNyYYjv05LI9v0b77H6Ue6Jo8nButGVLElrB0aCx5zdiZpVlMLjc+OkZlX7TDTlucdTNqQxr6wIfiA5sKirb5TmY1cVu6FIX53M1Vx0pffR1ywW93//oObYhG4UfTKBota9A9vmf4Ch8hJD36UbrNbpBb/d6TwlyFjCumEJUfQKHGcDW3hgL5BDCNyqo3RUbCXaRJ8uqyMZHIOZX8P27IcnjQ/Lk8WkhXyJoHHfAr3iwqNIqT8uwSIqQmz0dwN7wKmLTLwm8Y0MODfo6/CoKRi0hbSho4ifm9UnCZLzmvs6Z3mK00v5v5QgANBreem7GzBHOgpw1F0fHr/4fAS8OInEAso4QehhYwJC0rGpHjEKVueaxO+IxgIQrvOD0wBVtmoqynM/oS4blLHrYl1ZRW1d7t9RbuaJpyHxshZgmrs8Ck3a4qTIEbHhsV1iw8cveUjnWRClGRz4xaT+gtWtxfaeh/RDHCXCelcCq4g==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c29d7d3b-8252-4428-8f71-a96c30b78e53" IssueInstant="2026-04-05T15:00:18Z" Version="2.0">
        <saml:Issuer>https://casdoor.mydomain.com</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@mydomain.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="_511ac5e8-36da-4534-9972-0975b2381e10" NotOnOrAfter="2026-04-06T15:00:18Z" Recipient="https://joplin.mydomain.com/api/saml" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2026-04-05T15:00:18Z" NotOnOrAfter="2026-04-06T15:00:18Z">
            <saml:AudienceRestriction>
                <saml:Audience>Joplin</saml:Audience>
                <saml:Audience>https://casdoor.mydomain.com</saml:Audience>
                <saml:Audience>https://joplin.mydomain.com/api/saml</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2026-04-05T15:00:18Z" SessionIndex="_599ba33a-812f-404c-8989-8db88837f2c2" SessionNotOnOrAfter="2026-04-06T15:00:18Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin@mydomain.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="DisplayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin@mydomain.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

[laurent22]

Have you checked this issue? #14581

[fritman1]

@laurent22 yep, i've checked all the clues you gave but nothings worked + with casdoor i don't have control as granular as those of keycloak

(the controls in casdoor :

)

[laurent22]

Hmm, unfortunately I don't have a deep knowledge of SAML to help fix this. Maybe have a look at the logs on both Joplin side and Casdoor side and see if anything helps there? (feel free to post them here) It may help to feed them in an LLM too and see what it comes up with