Invalid signature in a SAML Authentication Request

book

Article ID: 197116

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server in Federated environment, and when the
Policy Server receives a SAMLRequest, it cannot validate the signature
and it reports error :

  Invalid signature.

How can we fix that ?

 

Cause

 

Take the Fiddler traces and get the full URL and SAMLRequest value to
validate it with third-party site as shown in the following sample.

If we try to validate the AuthnRequest outside the Policy Server with
a tool on the internet, we get the same result.

  https://www.samltool.com/validate_authn_req.php
The URL containing the SAMLRequest is :
 
  https://myfed.mydomain.com/affwebservices/public/saml2sso?SAMLRequest=fZHLasMwEEV%2FxWgvW36SdwwsssSdsdw251ssmuR06bv6%2FsQEkX7fYyV%2BcetEFhhpFvZ3%2B2r%2FAxA%2Fqo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ%2B9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn%2BTLDBb5qtiQebLcCdTIrTCA3Et%2B2D4%2F8TCdj5PzTrqBtJvlmq8m013%2F%2F3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C%2Fh2W63d8HzuugZ4f%2BmpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22%2FAQ%3D%3D&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ%2FR4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe%2B1Mn%2BA38n%2Fbfesxh0q15k%2Bbr9gw71w5YT7LjmmMYdF%2BJJK9gYlKQDR4s8ZQD%2F%2Bu74cZDbecPwnYFketMAwlPeK%2FAqwTRmEp0Zl91zMbJFgm1lnBfQGU%2FCtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE%2BSvs5vGLn4Qv5P%2BYU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337%2BI%2BpvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw%3D%3D

The SAMLRequest is : 

  fZHLasMwEEV%2FxWgvW36SdwwsssSdsdw251ssmuR06bv6%2FsQEkX7fYyV%2BcetEFhhpFvZ3%2B2r%2FAxA%2Fqo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ%2B9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn%2BTLDBb5qtiQebLcCdTIrTCA3Et%2B2D4%2F8TCdj5PzTrqBtJvlmq8m013%2F%2F3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C%2Fh2W63d8HzuugZ4f%2BmpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22%2FAQ%3D%3D&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ%2FR4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe%2B1Mn%2BA38n%2Fbfesxh0q15k%2Bbr9gw71w5YT7LjmmMYdF%2BJJK9gYlKQDR4s8ZQD%2F%2Bu74cZDbecPwnYFketMAwlPeK%2FAqwTRmEp0Zl91zMbJFgm1lnBfQGU%2FCtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE%2BSvs5vGLn4Qv5P%2BYU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337%2BI%2BpvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw%3D%3D

Url decoded :

  fZHLasMwEEV/xWgvW36SdwwsssSdsdw251ssmuR06bv6/sQEkX7fYyV+cetEFhhpFvZ3+2r/AxA/qo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ+9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn+TLDBb5qtiQebLcCdTIrTCA3Et+2D4/8TCdj5PzTrqBtJvlmq8m013//3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C/h2W63d8HzuugZ4f+mpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22/AQ==&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ/R4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe+1Mn+A38n/bfesxh0q15k+br9gw71w5YT7LjmmMYdF+JJK9gYlKQDR4s8ZQD/+u74cZDbecPwnYFketMAwlPeK/AqwTRmEp0Zl91zMbJFgm1lnBfQGU/CtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE+Svs5vGLn4Qv5P+YU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337+I+pvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw==
  https://www.samltool.com/decode.php

  <samlp:AuthnRequest ID="S00163e93-919f-1eda-a3f0-95231e59c4a4" Version="2.0" IssueInstant="2020-05-06T10:30:52Z" Destination="https://myfed.mydomain.com/affwebservices/public/saml2sso" ForceAuthn="false" IsPassive="false" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">HTTPS://mysp.myspdomain.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></samlp:AuthnRequest>

SP EntityId

 
  HTTPS://mysp.myspdomain.com

  
Target URL, Destination of the AuthN Request

 

  https://myfed.mydomain.com/affwebservices/public/saml2sso

 

AuthnRequest :

  fZHLasMwEEV/xWgvW36SdwwsssSdsdw251ssmuR06bv6/sQEkX7fYyV+cetEFhhpFvZ3+2r/AxA/qo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ+9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn+TLDBb5qtiQebLcCdTIrTCA3Et+2D4/8TCdj5PzTrqBtJvlmq8m013//3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C/h2W63d8HzuugZ4f+mpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22/AQ==

RelayState :

  idjjjfosdksdtozrzforedaoatfqozvstrevzcuau

Signature Alogrithm :

  http://www.w3.org/2000/09/xmldsig#rsa-sha1

Signature

  MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ/R4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe+1Mn+A38n/bfesxh0q15k+br9gw71w5YT7LjmmMYdF+JJK9gYlKQDR4s8ZQD/+u74cZDbecPwnYFketMAwlPeK/AqwTRmEp0Zl91zMbJFgm1lnBfQGU/CtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE+Svs5vGLn4Qv5P+YU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337+I+pvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw==

Certificate used to sign :

-----BEGIN CERTIFICATE-----
MIIDZzCCAk8CCAogGQYoEkcBMA0GCSqGSVVDFASDFGeddsdfdfsEDsfdFdsfdsfS
MRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAw
MDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZ
RF9TQU1MMl9TMB4XDTE5MDYyODEyNDcwMVoXDTM4MDEwMTAwMDAwMVowdjELMAkG
A1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxLzAtBgNVBAsT
JkkwMDAwMDAwMDA3NDA5ODY0NjIgLSBCdXNpbmVzc0J5RGVzaWduMRgwFgYDVQQD
DA9TQVBfQllEX1NBTUwyX1MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDDM/MQq+awhCkUJ/TmaZ8cPrMswFHOpEwim0KvkdYvv/ZgMdLctC0K3gVENFlF
4LnP3ZMSkewSGStrXZtJN7SRR1mB0lXTcONFvDfoPcdJeiSSjr8TsGuX3NYiP0c3
1/jG+GFtvD7OSbCZosjbgBpq/xHhP1RPM75jZ77nkzJR/49VZdcFeEOf5u2nhxOA
jyeAPfrIF9pB9nxsCWP0ac7Rjbla4ufWihzK7rHHNzJAwLzd0aaxNEFjwVdFT9n7
wLqdcxPpodASFYGa9zkMW+XGje1BRjjgbYT1dUnUEln2m+PCYHBZiwFe2Ury8E43
o+sTyAR5MCIeH1vTY9kAVaCLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAG2U+3IZ
WD2Oo49WjwDLK4korB25rzaCzyXye0//3VzXSS9RIiveR09MO+WjQLMqL7xleJ4R
ynIc6MAfuNbvCyu8CcIxXOhNU9nUEi9L+GdRhFkoWqYPCDinfmaFyyyeih5IiJ7i
7bzArvpoOiO6yeJIGe2LIMSULHC/T6Dd4bFhhL+VSz5Cte8miosOqkzGAFMAm3Ho
n3IvF9gd2ftSA18OgA6m5V38N2gGjLC+IRLLcVHQ8OxkdPwSdnxpASF5Z3wt5DeR
nKUSTZUVEvCn97M3VVRIYDw1o2DSFDddsfddfsdFDSFdsfdsFCdsFas144dsfcDe
zmS1FuYoohxCTKA=
-----END CERTIFICATE-----

Checked "Ignore timing issue"

>>

  THE SAML AUTHN REQUEST IS INVALID.
  Signature validation failed. AuthN Request rejected

 

Environment

 

  Web Agent 12.52 64bit on Apache 2.2.29 64bit on Suse 11SP4;
  Web Agent Option Pack 12.52 64bit on WebLogic 10.3.6 on Suse 11SP4; 
  Policy Server 12.8SP2 on RedHat 7;
    JDK 1.8 64bit;

 

Resolution

 

Review how the SP side is building the AuthnRequest and sign it. This
may be caused by a change in the assertion once it has already signed
in the post processing.