Error in DSigVerifier

book

Article ID: 194528

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running Federation Services as SP and when the Policy Server
validates the signature, the processing fails and the Policy Server
logs show error :

  [06/23/2020][14:49:06.169][14:49:06][3200][6268][SignatureProcessor.java][verifyXML][2
  4009675-520dbe73-ca9f4eb3-6b1adeb4-48098e01-d56][][][][][][][][][][][][][][][][][][][]
  [Signature verification with primary certificate failed with
  message: Error in DSigVer ifier: cert not found or sig not
  verified - Caught an Exception either finding certifi cate in DB or
  verifying using IXMLSignature implementor - Transform disallowed!]

If we disable signature verification, then the transaction can be
completed.

How can we fix that ?

 

Cause

 

The transformation algorithm from the assertion has a value :
  
   http://www.w3.org/TR/2001/REC-xml-c14n-20010315 

and this is not allowed in SAML2 assertion a per specification. Hence
request is rejected. Please see below extract of the specs :

  5.4.4 Transforms

    Signatures in SAML messages SHOULD NOT contain transforms other
    than the enveloped signature transform (with the identifier
    http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the
    exclusive canonicalization transforms (with the identifier
    http://www.w3.org/2001/10/xml-exc-c14n# or
    http://www.w3.org/2001/10/xml-exc-c14n#WithComments).

    Verifiers of signatures MAY reject signatures that contain other
    transform algorithms as invalid [...]

  https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

The assertion causing the issue has the following data :

FWSTrace.txt

  [06/23/2020][12:49:05][2848][17528][4112553-520dbe73-ca9f4eb3-6b1adeb4-48098e01-d56][AssertionConsumer.java][processSAMLResponse][Credentials: <UserCredentials><?xml version="1.0" encoding="UTF-8"?>
  <samlp2:Response Version="2.0" ID="SAML-41h5dzs8-0205-4974-8a21-d801eae83d3e" IssueInstant="2020-06-23T12:49:05Z" Destination="https://mysp.myspdomain.com/affwebservices/public/saml2assertionconsumer" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://myidp.idpdomain.com</saml2:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="#SAML-41h5dzs8-0205-4974-8a21-d801eae83d3e">
      <Transforms>
 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
 <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

Environment

 

Policy Server 12.8SP3 on Windows 2016;

 

Resolution

 

Have the Partner to use only "Transform Algorithm" as per SAML spec to
solve the issue.