SAML Response Block Not Aunthenticating
search cancel

SAML Response Block Not Aunthenticating

book

Article ID: 191570

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

Migrating from Ping Federate to Okta SAML identity provider.

SAML Response showing the following error: 

WARNING com.l7tech.external.assertions.validatenonsoapsaml.server.ServerValidateNonSoapSamlTokenAssertion : 5552: Signature confirmation failed: Unable to verify signature of SAML
assertion: Validity not achieved. Signature not valid. null#012#011Element #id2580803694653514837643688: Digest value mismatch: calculated: PP36jf8ErwfWfR93zkuHbbqH4LR3Ib7Fw8QVSW95qBg=

Environment

Release : 9.2

Component : API GATEWAY

Cause

InclusiveNamespaces is the problem. When gateway tries to reconstruct message using library, it does not add namespace back in signed element, causing digest value to mismatch.

defect DE334566

Resolution

Customer wanted to use XPath assertion to drop additional xml nodes from saml message before sending it for validation. But XPath Assertion dropped namespaces, so it was better to use XSLT transform for to drop additional nodes.

Provided a sample policy with XSLT 

Additional Information

Works 
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">                                                                                                                    </ds:Transform></ds:Transforms>

Fails:
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs">
</ec:InclusiveNamespaces></ds:Transform></ds:Transforms>


XPath assertion while storing DOM structure in context variable converted to string using exclusive canonicalize, which dropped namespaces from 

Attachments

1590519299963__working+policy+with+xslt.xml get_app