FAILED_INVALID_RESPONSE_RETURNED SP initiated federation

book

Article ID: 141423

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Federation Service as SP side, the SP initiated
requests fail with error 500 in the browser. The Federation Service
returns error :
 
  affwebserv.log :
 
    [9748/140064010385152][Tue Oct 08 2019
    17:10:35][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID:
    abd66c3c-27718530-143ea65a-737d6f8e-a08ae68f-1 failed. Reason:
    FAILED_INVALID_RESPONSE_RETURNED (, , )
 
  FWSTrace.log 
 
    [Received the following response from SAML2 assertion generator:
    SAML2Response=NO.]
 
    [Transaction with ID:
    2efab415-448ecdcd-47ac323f-218f8d84-84945eac-6 failed. Reason:
    FAILED_INVALID_RESPONSE_RETURNED]
 
    [Denying request due to "NO" returned from SAML2 assertion
    generator.]
 
  smtracedefault :
 
    [Error in getting configuration data. Leaving Assertion Generator
    Framework.  Exception:
 
    java.lang.Exception: The Federation Web Service didn't send the
    request with a correct resource! Internal Exception:
 
     javax.xml.bind.UnmarshalException: Unexpected element 
        {http://www.w3.org/2000/09/xmldsig#}:Signature
 at com.netegrity.SAML2Gen.impl.runtime.SAXUnmarshallerHandlerImpl.
        handleEvent(Unknown Source)

How can we fix this ?

 

Cause

 

We support "Signed AuthnReqest" as a "Query
Parameter" only (Redirect Binding), not as a part in AuthnRequest
Element which is sent by a POST binding.

That is the Assertion received when it fails by POST. The signature is
inside the authnrequest assertion :

<samlp:AuthnRequest ID="v90a428e-c80b-4992-8969-1348cd044ec7"
Version="2.0" IssueInstant="2019-10-08T15:10:23Z"
Destination="https://myidp.mydomain.com/affwebservices/public/saml2sso"
ForceAuthn="false" IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://mysp.sp.com/saml/myconsume.jsp"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://mysp.sp.com
  </saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"
              />
  <Signature
      xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod
      Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
      />
      <SignatureMethod
      Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference
      URI="#v90a428e-c80b-4992-8969-1348cd044ec7">
    <Transforms>
      <Transform
          Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
          />
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
             />
    </Transforms>
    <DigestMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
        />
    <DigestValue>hwGymNmerPOs0u2TH4W3F6lF03U=
    </DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>Lonv  [...] 1ZCng==
    </SignatureValue>
    <KeyInfo>
      <X509Data>
    <X509Certificate>MIIG8TCC [...] yQmGXIYQsprfCA=
    </X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
</samlp:AuthnRequest>

 

Environment

 

Release : 12.8

Component : SITEMINDER FEDERATION SECURITY SERVICES

 

Resolution

 

Configure Redirect instead of POST. The data will be received indeed
as Query Paramters and it has the signature outside the Authnrequest
and the request will succeed.

If you need this specific functionality "AuthNRequest with embedded
signature (HTTP-POST binding)" to be implemented, we invite you to set
an Enhancement Request (Idea) on the Security page :

  1. Go to the "All Ideas" page :
     https://community.broadcom.com/ideation/allideas
  2. Click on the "Add" button.
  3. In the "Select categories...", select "Layer7 Access Management".
  4. Write a title in the "title" box.
  5. Write a complete description of the Enahcement Request or
     Certification you'd like to post.
  6. Click on "Save" to get the Idea submitted !