Invalid signature in a SAML Authentication Request

Article Id: 197116

Status: Published

Updated On: 12-08-2020 00:37

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , CA Single Sign On Agents (SiteMinder) , CA Single Sign On Federation (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , SITEMINDER

Issue/Introduction:

We're running a Policy Server in Federated environment, and when the
Policy Server receives a SAMLRequest, it cannot validate the signature
and it reports error :

  Invalid signature.

How can we fix that ?

Cause:

Take the Fiddler traces and get the full URL and SAMLRequest value to
validate it with third-party site as shown in the following sample.

If we try to validate the AuthnRequest outside the Policy Server with
a tool on the internet, we get the same result.

  https://www.samltool.com/validate_authn_req.php

The URL containing the SAMLRequest is :
 
  https://myfed.mydomain.com/affwebservices/public/saml2sso?SAMLRequest=fZHLasMwEEV%2FxWgvW36SdwwsssSdsdw251ssmuR06bv6%2FsQEkX7fYyV%2BcetEFhhpFvZ3%2B2r%2FAxA%2Fqo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ%2B9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn%2BTLDBb5qtiQebLcCdTIrTCA3Et%2B2D4%2F8TCdj5PzTrqBtJvlmq8m013%2F%2F3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C%2Fh2W63d8HzuugZ4f%2BmpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22%2FAQ%3D%3D&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ%2FR4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe%2B1Mn%2BA38n%2Fbfesxh0q15k%2Bbr9gw71w5YT7LjmmMYdF%2BJJK9gYlKQDR4s8ZQD%2F%2Bu74cZDbecPwnYFketMAwlPeK%2FAqwTRmEp0Zl91zMbJFgm1lnBfQGU%2FCtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE%2BSvs5vGLn4Qv5P%2BYU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337%2BI%2BpvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw%3D%3D

The SAMLRequest is :

  fZHLasMwEEV%2FxWgvW36SdwwsssSdsdw251ssmuR06bv6%2FsQEkX7fYyV%2BcetEFhhpFvZ3%2B2r%2FAxA%2Fqo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ%2B9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn%2BTLDBb5qtiQebLcCdTIrTCA3Et%2B2D4%2F8TCdj5PzTrqBtJvlmq8m013%2F%2F3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C%2Fh2W63d8HzuugZ4f%2BmpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22%2FAQ%3D%3D&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ%2FR4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe%2B1Mn%2BA38n%2Fbfesxh0q15k%2Bbr9gw71w5YT7LjmmMYdF%2BJJK9gYlKQDR4s8ZQD%2F%2Bu74cZDbecPwnYFketMAwlPeK%2FAqwTRmEp0Zl91zMbJFgm1lnBfQGU%2FCtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE%2BSvs5vGLn4Qv5P%2BYU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337%2BI%2BpvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw%3D%3D

Url decoded :

  fZHLasMwEEV/xWgvW36SdwwsssSdsdw251ssmuR06bv6/sQEkX7fYyV+cetEFhhpFvZ3+2r/AxA/qo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ+9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn+TLDBb5qtiQebLcCdTIrTCA3Et+2D4/8TCdj5PzTrqBtJvlmq8m013//3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C/h2W63d8HzuugZ4f+mpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22/AQ==&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ/R4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe+1Mn+A38n/bfesxh0q15k+br9gw71w5YT7LjmmMYdF+JJK9gYlKQDR4s8ZQD/+u74cZDbecPwnYFketMAwlPeK/AqwTRmEp0Zl91zMbJFgm1lnBfQGU/CtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE+Svs5vGLn4Qv5P+YU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337+I+pvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw==

  https://www.samltool.com/decode.php

  <samlp:AuthnRequest ID="S00163e93-919f-1eda-a3f0-95231e59c4a4" Version="2.0" IssueInstant="2020-05-06T10:30:52Z" Destination="https://myfed.mydomain.com/affwebservices/public/saml2sso" ForceAuthn="false" IsPassive="false" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">HTTPS://mysp.myspdomain.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></samlp:AuthnRequest>

SP EntityId

HTTPS://mysp.myspdomain.com

Target URL, Destination of the AuthN Request

  https://myfed.mydomain.com/affwebservices/public/saml2sso

AuthnRequest :

  fZHLasMwEEV/xWgvW36SdwwsssSdsdw251ssmuR06bv6/sQEkX7fYyV+cetEFhhpFvZ3+2r/AxA/qo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ+9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn+TLDBb5qtiQebLcCdTIrTCA3Et+2D4/8TCdj5PzTrqBtJvlmq8m013//3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C/h2W63d8HzuugZ4f+mpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22/AQ==

RelayState :

  idjjjfosdksdtozrzforedaoatfqozvstrevzcuau

Signature Alogrithm :

  http://www.w3.org/2000/09/xmldsig#rsa-sha1

Signature

  MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ/R4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe+1Mn+A38n/bfesxh0q15k+br9gw71w5YT7LjmmMYdF+JJK9gYlKQDR4s8ZQD/+u74cZDbecPwnYFketMAwlPeK/AqwTRmEp0Zl91zMbJFgm1lnBfQGU/CtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE+Svs5vGLn4Qv5P+YU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337+I+pvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw==

Certificate used to sign :

Checked "Ignore timing issue"

THE SAML AUTHN REQUEST IS INVALID.
Signature validation failed. AuthN Request rejected

Environment:

Web Agent 12.52 64bit on Apache 2.2.29 64bit on Suse 11SP4;
Web Agent Option Pack 12.52 64bit on WebLogic 10.3.6 on Suse 11SP4;
Policy Server 12.8SP2 on RedHat 7;
JDK 1.8 64bit;

Resolution:

Review how the SP side is building the AuthnRequest and sign it. This
may be caused by a change in the assertion once it has already signed
in the post processing.