Error in DSigVerifier
search cancel

Error in DSigVerifier


Article ID: 194528


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running Federation Services as SP and when the Policy Server
validates the signature, the processing fails and the Policy Server
logs show error :

  [Signature verification with primary certificate failed with
  message: Error in DSigVer ifier: cert not found or sig not
  verified - Caught an Exception either finding certifi cate in DB or
  verifying using IXMLSignature implementor - Transform disallowed!]

If we disable signature verification, then the transaction can be

How can we fix that ?




Policy Server 12.8SP3 on Windows 2016;




The transformation algorithm from the assertion has a value : 

and this is not allowed in SAML2 assertion a per specification. Hence
request is rejected. Please see below extract of the specs :

  5.4.4 Transforms

    Signatures in SAML messages SHOULD NOT contain transforms other
    than the enveloped signature transform (with the identifier or the
    exclusive canonicalization transforms (with the identifier or

    Verifiers of signatures MAY reject signatures that contain other
    transform algorithms as invalid [...]

The assertion causing the issue has the following data :


  [06/23/2020][12:49:05][2848][17528][4112553-520dbe73-ca9f4eb3-6b1adeb4-48098e01-d56][][processSAMLResponse][Credentials: <UserCredentials><?xml version="1.0" encoding="UTF-8"?>
  <samlp2:Response Version="2.0" ID="SAML-41h5dzs8-0205-4974-8a21-d801eae83d3e" IssueInstant="2020-06-23T12:49:05Z" Destination="" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"></saml2:Issuer><Signature xmlns="">
    <CanonicalizationMethod Algorithm=""/>
    <SignatureMethod Algorithm=""/>
    <Reference URI="#SAML-41h5dzs8-0205-4974-8a21-d801eae83d3e">
 <Transform Algorithm=""/>
 <Transform Algorithm=""/>



Have the Partner to use only "Transform Algorithm" as per SAML spec to
solve the issue.