We use a python solution using SignXML and LXML - latest versions to run a production SSO solution. We are the Service Provider. We do receive a sign XML assertions when user tries to access our system.

All worked fine until November 17, 2022. Since then every request gets 'Signature verification failed: bad signature'.

We pinned these versions: lxml==4.9.0 signxml==2.9.0 pyjwt==2.4.0 cryptography==37.0.2

But I think just SignXML causing this issue. As part of the CI/CD we generate integration tests on each deployment, and our tests work and successfully. We don't have our client's private key, so we can't replicate the issue. But each request from them is invalid. Any ideas? I've looked at changes of SignXML https://pypi.org/project/signxml but nothing. Thanks!

I tried different python versions, 3.9, 3.10, 3.11, but I get the same behavior. I tried different methods but no fix. Our validation method:

def validate_saml_assertion(saml_value, trusted_cert, tenant_prefix):
root = etree.fromstring(saml_value)

signature_node = root.findall("Signature", namespaces={None: "http://www.w3.org/2000/09/xmldsig#"})

cert_on_file = validate_fingerprint(cert_from_xml, trusted_cert, tenant_prefix)

return XMLVerifier().verify(saml_value, x509_cert=cert_on_file).signed_xml

Different python versions, different libraries versions.