We're running Federation Services as Service Provider (SP), when the
request comes to our SP side, the browser gets error 500 and the
Federation Services reports error :
"SAML Assertion based user authentication failed"
How can we fix that ?
CA Access Gateway (SPS) 12.8SP2 on RedHat 7;
Policy Server 12.8SP2 on RedHat 7;
This issue happens because the Policy Server cannot find the same and
exact certificate used for signing the assertion. The Policy Server
should find in the Certificate Data Store (CDS) the same certificate
as the one found in the assertion.
To understand what happens, you need the traces from the
browser. Fiddler is a good tool to provide such details.
From the browser traces, we can get the SAMLResponse which is sent to
the SP.
POST https://sp.example.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=xVhpc6rMEv5%2Bq%2B5%.......................................................%2FZHn7r8%3D
500 Internal Server Error
Thu, 03 Oct 2019 09:28:52 GMT
Apache/2.4.37 (Unix) OpenSSL/1.0.2q-fips mod_jk/1.2.46
In this request the SAMLResponse is
xVhpc6rMEv5%2Bq%2B5%.......................................................%2FZHn7r8%3D
URL Decode it using this tool :
https://meyerweb.com/eric/tools/dencoder/
original :
xVhpc6rMEv5%2Bq%2B5%.......................................................%2FZHn7r8%3D
URL decoded :
xVhpc6rMEv5+q+5......................................................./ZHn7r8=
Once URL decoded, get to this tool to get the assertion decrypted and
to be able to read it :
https://www.samltool.com/decode.php
deflated :
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx9a89c4e4-8b9c-324d-e921-8d710b13256e" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx9a89c4e4-8b9c-324d-e921-8d710b13256e"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>...........</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>...............</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9................................................/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
<saml:Subject>
<saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
From that assertion, the certificate is in this section :
<ds:X509Certificate>
MIICajCCAdOgAwIBAgIBADANBgkqhkiG9................................................/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==
</ds:X509Certificate>
Take the value and put it in a file like the following, remember to
make the line 64 chars :
cert.crt
-----BEGIN CERTIFICATE-----
MIICajCCAdOgAwIBAgIBADANBgkqhkiG9................
.................................................
......../Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==
-----END CERTIFICATE-----
Then run the following command against that file in order to make it
"human readable" :
c:\> openssl x509 -in cert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = us, ST = xxxx, O = xxxx, CN = sp.example.com
Validity
Not Before: Jul 17 14:12:56 2014 GMT
Not After : Jul 17 14:12:56 2015 GMT
Subject: C = us, ST = xxxx, O = xxxx, CN = sp.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:d9:c7:e3:8d:e0:85:28:21:6c:60:ba:44:db:d6:
.............................................
a1:5e:93:40:4c:29:4f:dd:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
18:7C:58:A9:96:32:5F:B7:13:C4:A5:4E:0D:58:19:C1:24:DD:0A:7C
X509v3 Authority Key Identifier:
keyid:18:7C:58:A9:96:32:5F:B7:13:C4:A5:4E:0D:58:19:C1:24:DD:0A:7C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
72:14:e9:7e:84:c1:48:09:b7:77:0c:97:e7:a7:64:60:77:f7:
......................................................
d6:36
From the SiteMinder SP Federation Services and Policy Server, track
down the transaction to identify which should be the signing alias
related.
First identify the error from the Federation Services and get the
TransactionID of the failing transaction. In this sample the
transaction ID is 23827b6b-########-########-########-########-45 :
affwebserv.log_10032019 :
[55517/140126910224128][Thu Oct 03 2019 02:28:54][FWSBase.java][ERROR][sm-Fed
Client-00360] SAML Assertion based user authentication failed. ()
[55517/140126910224128][Thu Oct 03 2019 02:28:54][AssertionConsumer.java][ERR
OR][sm-FedClient-02890] Transaction with ID: 23827b6b-########-########-#####
###-########-45 failed. Reason: ACS_FAILED_PROCESS_FAILURE (, , )
The Federation traces show that the failure occurs at the Policy
Server level : "result code from AgentAPI login call: 2"
FWSTrace.log_10032019 :
[10/03/2019][02:28:52][55517][140126910224128][23827b6b-########-########-###
#####-########-45][AssertionConsumer.java][doPost][SAML2 AssertionConsumer Se
rvice received POST request.]
[10/03/2019][02:28:53][55517][140126910224128][23827b6b-########-########-###
#####-########-45][AssertionConsumer.java][createPostRequestContext][SAMLResp
onse parameter (base-64 encoded): xVhpc6rMEv5+q...........................
[...]
Iuy9+G2+n1ZPU0z14kO9/ZHn7r8=]
[10/03/2019][02:28:54][55517][140126910224128][23827b6b-########-########-###
#####-########-45][FWSBase.java][authenticateUser][result code from AgentAPI
login call: 2]
[10/03/2019][02:28:54][55517][140126910224128][23827b6b-########-########-###
#####-########-45][FWSBase.java][authenticateUser][Login failure [CHECKPOINT
= SSO_LOGINFAILURE_RSP]]
[10/03/2019][02:28:54][55517][140126910224128][23827b6b-########-########-###
#####-########-45][FWSBase.java][processFailedAuthentication][SAML Assertion
based user authentication failed.]
[10/03/2019][02:28:54][55517][140126910224128][23827b6b-########-########-###
#####-########-45][AssertionConsumer.java][redirectLoginFailure][AuthReason=5
0]
[10/03/2019][02:28:54][55517][140126910224128][23827b6b-########-########-###
#####-########-45][AssertionConsumer.java][redirectLoginFailure][Ending SAML2
AssertionConsumer Service request processing with HTTP error 500]
Second, investigate the Policy Server traces to find the transaction
ID 23827b6b-########-########-########-########-45. The transaction
will show the Certificate alias in use. In this sample the alias is
"spcert".
smtracedefault.log_10032019 :
[10/03/2019][02:28:53.612][02:28:53][21691][139664350508800][SignatureProcess
or.java][verifyXML][23827b6b-########-########-########-########-45][][][][][
][][][][][][][][][][][][][][][Primary certificate to verify signature: alias:
"spcert"][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][]
[10/03/2019][02:28:54.438][02:28:54][21691][139664350508800][SignatureProcess
or.java][verifyXML][23827b6b-########-########-########-########-45][][][][][
][][][][][][][][][][][][][][][Signature verification with primary certificate
failed with message: Error in DSigVerifier: cert not found or sig not verifi
ed - Caught an Exception either finding certificate in DB or verifying using
IXMLSignature implementor - Certificate from Database does not match the Cert
ificate in message.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][
][][][][][][][][][]
[10/03/2019][02:28:54.439][02:28:54][21691][139664350508800][SignatureProcess
or.java][verifyXML][23827b6b-########-########-########-########-45][][][][][
][][][][][][][][][][][][][][][Secondary certificate to verify signature: alia
s: "spcert"][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][]
[10/03/2019][02:28:54.441][02:28:54][21691][139664350508800][Saml2Validator.j
ava][checkAssertion][23827b6b-########-########-########-########-45][][][][]
[][][][][][][][][][][][][][][][SAML20: Assertion rejected (_26410c70-........
...................): DSigException caught while verifying assertion: Error i
n DSigVerifier: cert not found or sig not verified - Caught an Exception eith
er finding certificate in DB or verifying using IXMLSignature implementor - C
ertificate from Database does not match the Certificate in message.][][][][][
][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[10/03/2019][02:28:54.449][02:28:54][21691][139664350508800][SmAuthSaml.cpp:1
295][][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-log-00000]
SmAuthenticateJNI() failed. ][][][][][][][][][][][][][][][][][][][][][][][][
][][][][][][][][][][][][][][]
[10/03/2019][02:28:54.449][02:28:54][21691][139664350508800][SmAuthSaml.cpp:2
027][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][SAML Auth Scheme
returning auth state: 3, auth reason: 50.][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][]
Insure that the same and exact certificate from the assertion is set
in the partnership for signing to solve the issue.