"Error in DSigVerifier" in Policy Server for Federation as SP
search cancel

"Error in DSigVerifier" in Policy Server for Federation as SP

book

Article ID: 194528

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


Running Federation Services as Service Provider (SP) and when the Policy Server validates the signature, the processing fails and the Policy Server logs show error:

  [06/23/2020][14:49:06.169][14:49:06][3200][6268][SignatureProcessor.java][verifyXML][][][][][][][][][][][][][][][][][][][][]
  [Signature verification with primary certificate failed with message: Error in DSigVerifier: cert not found or sig not verified - Caught an Exception either finding certifi cate in DB or verifying using IXMLSignature implementor - Transform disallowed!]

When disabling the signature verification, then the transaction can be completed.

 

Cause

 
The transformation algorithm from the assertion has a value of:
  
   http://www.w3.org/TR/2001/REC-xml-c14n-20010315
   
And this is not allowed in SAML2 assertion a per specification (1). Hence request is rejected.
 
    "Signatures in SAML messages SHOULD NOT contain transforms other
     than the enveloped signature transform (with the identifier
     http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the
     exclusive canonicalization transforms (with the identifier
     http://www.w3.org/2001/10/xml-exc-c14n# or
     http://www.w3.org/2001/10/xml-exc-c14n#WithComments).
 
     Verifiers of signatures MAY reject signatures that contain other
     transform algorithms as invalid [...]"
 
The assertion causing the issue has the following data:
 
FWSTrace.log:
 
[06/23/2020][12:49:05][2848][17528][][AssertionConsumer.java][processSAMLResponse][Credentials:
<UserCredentials>
  <?xml version="1.0" encoding="UTF-8"?>
  <samlp2:Response Version="2.0" ID="SAML-41h5dzs8-0205-4974-8a21-d801eae83d3e" IssueInstant="2020-06-23T12:49:05Z" Destination="https://sp.example.com/affwebservices/public/saml2assertionconsumer" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.org</saml2:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="#<reference>">
      <Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
 

Resolution

 
Have the Partner to use only "Transform Algorithm" as per SAML spec to solve the issue.

 

Additional Information

Powered by Wolken Software