Invalid signature in a SAML Authentication Request

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

We're running a Policy Server in Federated environment, and when the
Policy Server receives a SAMLRequest, it cannot validate the signature
and it reports error :

  Invalid signature.

How can we fix that ?

Cause

Take the Fiddler traces and get the full URL and SAMLRequest value to
validate it with third-party site as shown in the following sample.

If we try to validate the AuthnRequest outside the Policy Server with
a tool on the internet, we get the same result.

  https://www.samltool.com/validate_authn_req.php

The URL containing the SAMLRequest is :
 
  https://myfed.mydomain.com/affwebservices/public/saml2sso?SAMLRequest=fZHLasMwEEV%2FxWgvW36SdwwsssSdsdw251ssmuR06bv6%2FsQEkX7fYyV%2BcetEFhhpFvZ3%2B2r%2FAxA%2Fqo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ%2B9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn%2BTLDBb5qtiQebLcCdTIrTCA3Et%2B2D4%2F8TCdj5PzTrqBtJvlmq8m013%2F%2F3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C%2Fh2W63d8HzuugZ4f%2BmpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22%2FAQ%3D%3D&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ%2FR4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe%2B1Mn%2BA38n%2Fbfesxh0q15k%2Bbr9gw71w5YT7LjmmMYdF%2BJJK9gYlKQDR4s8ZQD%2F%2Bu74cZDbecPwnYFketMAwlPeK%2FAqwTRmEp0Zl91zMbJFgm1lnBfQGU%2FCtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE%2BSvs5vGLn4Qv5P%2BYU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337%2BI%2BpvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw%3D%3D

The SAMLRequest is :

  fZHLasMwEEV%2FxWgvW36SdwwsssSdsdw251ssmuR06bv6%2FsQEkX7fYyV%2BcetEFhhpFvZ3%2B2r%2FAxA%2Fqo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ%2B9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn%2BTLDBb5qtiQebLcCdTIrTCA3Et%2B2D4%2F8TCdj5PzTrqBtJvlmq8m013%2F%2F3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C%2Fh2W63d8HzuugZ4f%2BmpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22%2FAQ%3D%3D&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ%2FR4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe%2B1Mn%2BA38n%2Fbfesxh0q15k%2Bbr9gw71w5YT7LjmmMYdF%2BJJK9gYlKQDR4s8ZQD%2F%2Bu74cZDbecPwnYFketMAwlPeK%2FAqwTRmEp0Zl91zMbJFgm1lnBfQGU%2FCtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE%2BSvs5vGLn4Qv5P%2BYU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337%2BI%2BpvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw%3D%3D

Url decoded :

  fZHLasMwEEV/xWgvW36SdwwsssSdsdw251ssmuR06bv6/sQEkX7fYyV+cetEFhhpFvZ3+2r/AxA/qo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ+9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn+TLDBb5qtiQebLcCdTIrTCA3Et+2D4/8TCdj5PzTrqBtJvlmq8m013//3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C/h2W63d8HzuugZ4f+mpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22/AQ==&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ/R4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe+1Mn+A38n/bfesxh0q15k+br9gw71w5YT7LjmmMYdF+JJK9gYlKQDR4s8ZQD/+u74cZDbecPwnYFketMAwlPeK/AqwTRmEp0Zl91zMbJFgm1lnBfQGU/CtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE+Svs5vGLn4Qv5P+YU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337+I+pvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw==

  https://www.samltool.com/decode.php

  <samlp:AuthnRequest ID="S00163e93-919f-1eda-a3f0-95231e59c4a4" Version="2.0" IssueInstant="2020-05-06T10:30:52Z" Destination="https://myfed.mydomain.com/affwebservices/public/saml2sso" ForceAuthn="false" IsPassive="false" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">HTTPS://mysp.myspdomain.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></samlp:AuthnRequest>

SP EntityId

HTTPS://mysp.myspdomain.com

Target URL, Destination of the AuthN Request

  https://myfed.mydomain.com/affwebservices/public/saml2sso

AuthnRequest :

  fZHLasMwEEV/xWgvW36SdwwsssSdsdw251ssmuR06bv6/sQEkX7fYyV+cetEFhhpFvZ3+2r/AxA/qo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ+9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn+TLDBb5qtiQebLcCdTIrTCA3Et+2D4/8TCdj5PzTrqBtJvlmq8m013//3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C/h2W63d8HzuugZ4f+mpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22/AQ==

RelayState :

  idjjjfosdksdtozrzforedaoatfqozvstrevzcuau

Signature Alogrithm :

  http://www.w3.org/2000/09/xmldsig#rsa-sha1

Signature

  MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ/R4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe+1Mn+A38n/bfesxh0q15k+br9gw71w5YT7LjmmMYdF+JJK9gYlKQDR4s8ZQD/+u74cZDbecPwnYFketMAwlPeK/AqwTRmEp0Zl91zMbJFgm1lnBfQGU/CtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE+Svs5vGLn4Qv5P+YU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337+I+pvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw==

Certificate used to sign :

Checked "Ignore timing issue"

>>

THE SAML AUTHN REQUEST IS INVALID.
Signature validation failed. AuthN Request rejected

Environment

Web Agent 12.52 64bit on Apache 2.2.29 64bit on Suse 11SP4;
Web Agent Option Pack 12.52 64bit on WebLogic 10.3.6 on Suse 11SP4;
Policy Server 12.8SP2 on RedHat 7;
JDK 1.8 64bit;

Resolution

Review how the SP side is building the AuthnRequest and sign it. This
may be caused by a change in the assertion once it has already signed
in the post processing.