FAILED_INVALID_RESPONSE_RETURNED SP initiated federation
Article ID: 141423
Updated On:
Products
Issue/Introduction
We're running a Federation Service as SP side, the SP initiated
requests fail with error 500 in the browser. The Federation Service
returns error :
affwebserv.log :
[9748/140064010385152][Tue Oct 08 2019
17:10:35][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID:
abd66c3c-27718530-143ea65a-737d6f8e-a08ae68f-1 failed. Reason:
FAILED_INVALID_RESPONSE_RETURNED (, , )
FWSTrace.log
[Received the following response from SAML2 assertion generator:
SAML2Response=NO.]
[Transaction with ID:
2efab415-448ecdcd-47ac323f-218f8d84-84945eac-6 failed. Reason:
FAILED_INVALID_RESPONSE_RETURNED]
[Denying request due to "NO" returned from SAML2 assertion
generator.]
smtracedefault :
[Error in getting configuration data. Leaving Assertion Generator
Framework. Exception:
java.lang.Exception: The Federation Web Service didn't send the
request with a correct resource! Internal Exception:
javax.xml.bind.UnmarshalException: Unexpected element
{http://www.w3.org/2000/09/xmldsig#}:Signature
at com.netegrity.SAML2Gen.impl.runtime.SAXUnmarshallerHandlerImpl.
handleEvent(Unknown Source)
How can we fix this ?
Cause
We support "Signed AuthnReqest" as a "Query
Parameter" only (Redirect Binding), not as a part in AuthnRequest
Element which is sent by a POST binding.
That is the Assertion received when it fails by POST. The signature is
inside the authnrequest assertion :
<samlp:AuthnRequest ID="v90a428e-c80b-4992-8969-1348cd044ec7"
Version="2.0" IssueInstant="2019-10-08T15:10:23Z"
Destination="https://myidp.mydomain.com/affwebservices/public/saml2sso"
ForceAuthn="false" IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://mysp.sp.com/saml/myconsume.jsp"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://mysp.sp.com
</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"
/>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference
URI="#v90a428e-c80b-4992-8969-1348cd044ec7">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<DigestValue>hwGymNmerPOs0u2TH4W3F6lF03U=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Lonv [...] 1ZCng==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIG8TCC [...] yQmGXIYQsprfCA=
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</samlp:AuthnRequest>
Environment
Release : 12.8
Component : SITEMINDER FEDERATION SECURITY SERVICES
Resolution
Configure Redirect instead of POST. The data will be received indeed
as Query Paramters and it has the signature outside the Authnrequest
and the request will succeed.
If you need this specific functionality "AuthNRequest with embedded
signature (HTTP-POST binding)" to be implemented, we invite you to set
an Enhancement Request (Idea) on the Security page :
1. Go to the "All Ideas" page :
https://community.broadcom.com/ideation/allideas
2. Click on the "Add" button.
3. In the "Select categories...", select "Layer7 Access Management".
4. Write a title in the "title" box.
5. Write a complete description of the Enahcement Request or
Certification you'd like to post.
6. Click on "Save" to get the Idea submitted !
Feedback
