We're running SiteMinder as IDP and when the Assertion arrives at Federation
Services on foreign SP side, the SAML response signature failed validation.
The SiteMinder IDP uses the following certificate to sign :
We are using below SP certificate for encrypting the assertion and
IDP certificate saml.mycompany.com.
Issued To:
CN=saml.mycompany.com
Issued By:
CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
Valid From:
Oct 26, 2018 02:00 AM CEST
Fingerprint: 99:DE:AF:37:FA:23:B7:51:57:D1:EE:AC:99:3B:5F:74:56:0W:B8:CDy
After investigation, we've found that there might be an issue with
the base 64 encoding of the SAML Responses before they are being sent
to the the foreign application.
The certificate form the Assertion looks like this :
<ds:X509Certificate>
MIIGr [...] QG
How can we solve this ?
When we look to the SAMLResponse sent to the browser and then to the
SP side from Fiddler traces, the decoding and decryting the
samlresponse value doesn't show any end chars as
We see on line 32 the SAMLResponse and using
https://www.samltool.com/decode.php, we can see the assertion showing
correctly without the " " :
When it gets out of the IdP side :
Line 32 :
GET https://myidp.mydomainidp.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=https://saml.mycompany.com&SAMLTRANSACTIONID=411f5f1w-97446195-5578f301-5f2d916c-9f53846c-be5
SMSESSION=qMw21FiusaZbYqgiwtVtZh8PBX [...]
HTTP/1.1 200 OK
Date: Fri, 26 Jun 2020 09:35:26 GMT
Server: Apache/2.4.4 (Unix) mod_jk/1.2.37
<form action="https://mysp.mydomainsp.com/loginaccount/saml" method="POST">
<input type="hidden" name="SAMLResponse" value="PFJlc3Bv [...] c2U+
decoded :
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://mysp.mydomainsp.com/loginaccount/saml" ID="_5s22ff5411eb4 [...]" IssueInstant="2020-06-26T09:35:26Z" Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://myhost.mydomain.com</ns1:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_2c33ss5122eb4f6eb6d4dccc67bd126c90bc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>sdfdsaqawssdDSK53IvL9ZUGK [...] </ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ASDsdweasdsadsADsASDsadvrL [...] </ds:SignatureValue><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGrDC [...] </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<ns2:EncryptedAssertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>aDSADwewadsas [...] </xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey><ds:X509Data><ds:X509Certificate>MIIDSADSEedsad [...] </ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>8i07RtfHK [...] </xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns2:EncryptedAssertion></Response>
Then the browser sends the same to the SP side, and no " " :
Line 35 :
POST https://mysp.mydomainsp.com/loginaccount/saml
SAMLResponse=PFJlc3Bv [...]
decoded :
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://mysp.mydomainsp.com/loginaccount/saml" ID="_2c33ss5122eb4f6 [...] " IssueInstant="2020-06-26T09:35:26Z" Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://myhost.mydomain.com</ns1:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_2c33ss51 [...] "><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>sdfdsa [...] </ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ASDsdweasdsadsADsASDsadvrLAY [...] </ds:SignatureValue><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGrDCCBZSgAwIBA [...] </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<ns2:EncryptedAssertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>aDSADwewadsasdaDSDS [...] </xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey><ds:X509Data><ds:X509Certificate>MIIDSADSEedsad/DSddc [...] </ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>8i07RtfHKva [...]
and the embedded certificate is readable :
openssl x509 -in cert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0f:54:e8:1b:df:c3:ec:4a:e3:3d:d5:2f:2f:d4:aa:31
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global CA G2
Validity
Not Before: May 6 00:00:00 2020 GMT
Not After : May 7 12:00:00 2022 GMT
Subject: C = ES, ST = Barcelona, L = Barcelona, O = Support, CN = myhost.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bd:f7:4c:a4:43:ab:d1:b8:c0:e1:47:cb:a6:03:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:24:6E:2B:2D:D0:6A:92: [...]
X509v3 Subject Key Identifier:
FA:41:54:85:DB:42:74:81:4A: [...]
X509v3 Subject Alternative Name:
DNS:fss9.ericsson.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/DigiCertGlobalCAG2.crl
Full Name:
URI:http://crl4.digicert.com/DigiCertGlobalCAG2.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.2.2
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalCAG2.crt
X509v3 Basic Constraints:
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
[...]
Timestamp : May 6 03:02:09.935 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:76:CC:9D:82:F6:59:30:AC:DB:FD:F4:71:
[...]
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 22:45:45:07:59:55:24:56:96:3F:A1:2F:F1:F7:6D:86:
[...]
Timestamp : May 6 03:02:09.957 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:BF:C0:82:9A:B8:F9:3B:BF:33:E5:8C:
[...]
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 51:A3:B0:F5:FD:01:79:9C:56:6D:B8:37:78:8F:0C:A4:
[...]
Timestamp : May 6 03:02:10.031 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:7C:E3:90:AF:44:68:0E:D9:8B:72:E5:C8:
[...]
Signature Algorithm: sha256WithRSAEncryption
46:cd:00:e4:df:5c:71:44:b0:3b:55:c9:1c:5e:c1:6c:9a:21:
[...]
Policy Server 12.8SP2 on RedHat 7;
JDK 1.8.0_181;
Policy Store on CA Directory 14;
Investigate on the Partner side the reason why the characters
are added to the assertion once it receives it.