We're running a Policy Server in Federated environment, and when the
Policy Server receives a SAMLRequest, it cannot validate the signature
and it reports error :
Invalid signature.
How can we fix that ?
Take the Fiddler traces and get the full URL and SAMLRequest value to
validate it with third-party site as shown in the following sample.
If we try to validate the AuthnRequest outside the Policy Server with
a tool on the internet, we get the same result.
https://www.samltool.com/validate_authn_req.php
The URL containing the SAMLRequest is :
https://myfed.mydomain.com/affwebservices/public/saml2sso?SAMLRequest=fZHLasMwEEV%2FxWgvW36SdwwsssSdsdw251ssmuR06bv6%2FsQEkX7fYyV%2BcetEFhhpFvZ3%2B2r%2FAxA%2Fqo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ%2B9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn%2BTLDBb5qtiQebLcCdTIrTCA3Et%2B2D4%2F8TCdj5PzTrqBtJvlmq8m013%2F%2F3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C%2Fh2W63d8HzuugZ4f%2BmpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22%2FAQ%3D%3D&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ%2FR4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe%2B1Mn%2BA38n%2Fbfesxh0q15k%2Bbr9gw71w5YT7LjmmMYdF%2BJJK9gYlKQDR4s8ZQD%2F%2Bu74cZDbecPwnYFketMAwlPeK%2FAqwTRmEp0Zl91zMbJFgm1lnBfQGU%2FCtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE%2BSvs5vGLn4Qv5P%2BYU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337%2BI%2BpvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw%3D%3D
The SAMLRequest is :
fZHLasMwEEV%2FxWgvW36SdwwsssSdsdw251ssmuR06bv6%2FsQEkX7fYyV%2BcetEFhhpFvZ3%2B2r%2FAxA%2Fqo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ%2B9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn%2BTLDBb5qtiQebLcCdTIrTCA3Et%2B2D4%2F8TCdj5PzTrqBtJvlmq8m013%2F%2F3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C%2Fh2W63d8HzuugZ4f%2BmpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22%2FAQ%3D%3D&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ%2FR4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe%2B1Mn%2BA38n%2Fbfesxh0q15k%2Bbr9gw71w5YT7LjmmMYdF%2BJJK9gYlKQDR4s8ZQD%2F%2Bu74cZDbecPwnYFketMAwlPeK%2FAqwTRmEp0Zl91zMbJFgm1lnBfQGU%2FCtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE%2BSvs5vGLn4Qv5P%2BYU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337%2BI%2BpvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw%3D%3D
Url decoded :
fZHLasMwEEV/xWgvW36SdwwsssSdsdw251ssmuR06bv6/sQEkX7fYyV+cetEFhhpFvZ3+2r/AxA/qo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ+9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn+TLDBb5qtiQebLcCdTIrTCA3Et+2D4/8TCdj5PzTrqBtJvlmq8m013//3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C/h2W63d8HzuugZ4f+mpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22/AQ==&RelayState=idjjjfosdksdtozrzforedaoatfqozvstrevzcuau&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ/R4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe+1Mn+A38n/bfesxh0q15k+br9gw71w5YT7LjmmMYdF+JJK9gYlKQDR4s8ZQD/+u74cZDbecPwnYFketMAwlPeK/AqwTRmEp0Zl91zMbJFgm1lnBfQGU/CtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE+Svs5vGLn4Qv5P+YU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337+I+pvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw==
https://www.samltool.com/decode.php
<samlp:AuthnRequest ID="S00163e93-919f-1eda-a3f0-95231e59c4a4" Version="2.0" IssueInstant="2020-05-06T10:30:52Z" Destination="https://myfed.mydomain.com/affwebservices/public/saml2sso" ForceAuthn="false" IsPassive="false" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">HTTPS://mysp.myspdomain.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></samlp:AuthnRequest>
SP EntityId
HTTPS://mysp.myspdomain.com
Target URL, Destination of the AuthN Request
https://myfed.mydomain.com/affwebservices/public/saml2sso
AuthnRequest :
fZHLasMwEEV/xWgvW36SdwwsssSdsdw251ssmuR06bv6/sQEkX7fYyV+cetEFhhpFvZ3+2r/AxA/qo2zXkwFha5VDntE5rRVPoBRW5YrQuszyFspaFKEj0BhNqZxuSxYxEHeIMnUUvrA8RyxhlJWXVMWU8Z7zM3km0CwRthV9bZ+9H5EmCnqIRRiroY7A61j4RSn3CCWG6aAmYjPNp0DJZ1maIjkQPbpKwzm6IEgPCgt8LRH2Bn+TLDBb5qtiQebLcCdTIrTCA3Et+2D4/8TCdj5PzTrqBtJvlmq8m013//3rAwrQokfbxeNwfgpK55kVV5QUNa2M5mdjZHoywfSyd2SR3lBty5C/h2W63d8HzuugZ4f+mpnG6Jrqnaj3ls8URpFYaepK0N8Lvj22/AQ==
RelayState :
idjjjfosdksdtozrzforedaoatfqozvstrevzcuau
Signature Alogrithm :
http://www.w3.org/2000/09/xmldsig#rsa-sha1
Signature
MIICPQYJKoZIhvcNAQcCoIICLjCCAioCAQSdsdcsERfsFsadwqGdsfgdfGdfDFSDSFDeSDFdsfededDDgEBMIGCMHYxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAwMDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZRF9TQU1MMl9TAggKIBkGKBJHATAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNTA2MTAzMDUyWjAjBgkqhkiG9w0BCQQxFgQUxws1W4s5ld0ak8y8GOHi7Gr9fxwwDQYJKoZIhvcNAQEBBQAEggEAnt0sKOJQ/R4VRn6lVNADWeRlHyq0cnQEqFeLimB2gIReYFaHymCs1MYnPbNz7Yhi7WpoTPLe+1Mn+A38n/bfesxh0q15k+br9gw71w5YT7LjmmMYdF+JJK9gYlKQDR4s8ZQD/+u74cZDbecPwnYFketMAwlPeK/AqwTRmEp0Zl91zMbJFgm1lnBfQGU/CtAeenlJV6q7nRZMOQrYp4hTh4Qzo3gwE+Svs5vGLn4Qv5P+YU8f5upwuXHh35Q95qQd1NU771D2tBibqob5m6kO70gCJZDW8iil9FJzCZJRWJ6337+I+pvpMSNrBtxhFn7g9XrSv6BEyQ59bR5mTnK2Uw==
Certificate used to sign :
-----BEGIN CERTIFICATE-----
MIIDZzCCAk8CCAogGQYoEkcBMA0GCSqGSVVDFASDFGeddsdfdfsEDsfdFdsfdsfS
MRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MS8wLQYDVQQLEyZJMDAwMDAw
MDAwNzQwOTg2NDYyIC0gQnVzaW5lc3NCeURlc2lnbjEYMBYGA1UEAwwPU0FQX0JZ
RF9TQU1MMl9TMB4XDTE5MDYyODEyNDcwMVoXDTM4MDEwMTAwMDAwMVowdjELMAkG
A1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxLzAtBgNVBAsT
JkkwMDAwMDAwMDA3NDA5ODY0NjIgLSBCdXNpbmVzc0J5RGVzaWduMRgwFgYDVQQD
DA9TQVBfQllEX1NBTUwyX1MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDDM/MQq+awhCkUJ/TmaZ8cPrMswFHOpEwim0KvkdYvv/ZgMdLctC0K3gVENFlF
4LnP3ZMSkewSGStrXZtJN7SRR1mB0lXTcONFvDfoPcdJeiSSjr8TsGuX3NYiP0c3
1/jG+GFtvD7OSbCZosjbgBpq/xHhP1RPM75jZ77nkzJR/49VZdcFeEOf5u2nhxOA
jyeAPfrIF9pB9nxsCWP0ac7Rjbla4ufWihzK7rHHNzJAwLzd0aaxNEFjwVdFT9n7
wLqdcxPpodASFYGa9zkMW+XGje1BRjjgbYT1dUnUEln2m+PCYHBZiwFe2Ury8E43
o+sTyAR5MCIeH1vTY9kAVaCLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAG2U+3IZ
WD2Oo49WjwDLK4korB25rzaCzyXye0//3VzXSS9RIiveR09MO+WjQLMqL7xleJ4R
ynIc6MAfuNbvCyu8CcIxXOhNU9nUEi9L+GdRhFkoWqYPCDinfmaFyyyeih5IiJ7i
7bzArvpoOiO6yeJIGe2LIMSULHC/T6Dd4bFhhL+VSz5Cte8miosOqkzGAFMAm3Ho
n3IvF9gd2ftSA18OgA6m5V38N2gGjLC+IRLLcVHQ8OxkdPwSdnxpASF5Z3wt5DeR
nKUSTZUVEvCn97M3VVRIYDw1o2DSFDddsfddfsdFDSFdsfdsFCdsFas144dsfcDe
zmS1FuYoohxCTKA=
-----END CERTIFICATE-----
Checked "Ignore timing issue"
>>
THE SAML AUTHN REQUEST IS INVALID.
Signature validation failed. AuthN Request rejected
Web Agent 12.52 64bit on Apache 2.2.29 64bit on Suse 11SP4;
Web Agent Option Pack 12.52 64bit on WebLogic 10.3.6 on Suse 11SP4;
Policy Server 12.8SP2 on RedHat 7;
JDK 1.8 64bit;
Review how the SP side is building the AuthnRequest and sign it. This
may be caused by a change in the assertion once it has already signed
in the post processing.