Error: Invalid Argument passed to method in Logout SAML Federation
Article ID: 224354
Updated On:
Products
CA Single Sign On Federation (SiteMinder)
SITEMINDER
CA Single Sign On Secure Proxy Server (SiteMinder)
Issue/Introduction
When running Siteminder in Federation journey as IdP, when a user tries to log out, the browser shows the error:
"An error occurred during the logout process. Please close your browser".
The Federation Service reports an error at the signature verification phase:
Exception when processing an SLO message:
com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.
Environment
1 Policy Server 12.8SP3 on RedHat 7;
OpenJDK jdk8u252-b09;
Policy Store on CA Directory 14.1;
Session Store on CA Directory
10.195.147.196:4389 10.195.147.197:4389;
1 CA Access Gateway (SPS) 12.8SP3 on Windows 2016;
Cause
The configuration has SkewTime=30, the assertion IssueInstant is 2021-09-01T07:11:54.583Z, and the Policy Server time is 38 seconds in the past 09:11:16.938 (1).
The SAMLRequest for the logout is not signed, as it should be (2).
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://_fed._domain._com/affwebservices/public/saml2slo"
ID="a9d3jf41e4fj3jg2fjg5jhg63965jh"
IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
myIssuer
</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
myNameID
</saml2:NameID>
<saml2p:SessionIndex>
14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
</saml2p:SessionIndex></saml2p:LogoutRequest>
FWSTrace.log :
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][doGet][Receiving request at SAML2 SLO Logout URL through GET method[CHECKPOINT = SLOSAML2_LOGOUTSERVICEGET_RECEIVE]]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][doGet][SLORequest: SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlookCxvhWtrvRubWzt%2FPj31snEDTRB5%2Ba3J5z7jmnHU%2Fe6sp5AY1CyZhQLyAOyFRlQhYxWa9m7pB [...omitted for brevity...] BS8DPEuYyg7eE9s6vNtt0RaOT19vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D]
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://_fed._domain._com/affwebservices/public/saml2slo"
ID="a9d3jf41e4fj3jg2fjg5jhg63965jh" IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
myIssuer
</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
myNameID
</saml2:NameID>
<saml2p:SessionIndex>
14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
</saml2p:SessionIndex>
</saml2p:LogoutRequest>
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][doGet][SLORequest: SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlo [...omitted for brevity...] BS8DPEuYyg7eE9s6vNtt0RaOT19vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][handleLogout][RequestID: 273569ff-91856b48-f04185f9-937b9e96-6332c554-879]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SAMLTunnelClient.java][callSingleLogout][Tunnel result code: 1.]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][handleLogout][
TUNNEL STATUS:
status : 2
message : Exception when processing an SLO message: com.netegrity.SAML2Security.DSigException:
Invalid Argument passed to method.
com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][handleLogoutFailure][Redirecting to error handling URL [CHECKPOINT = SLOSAML2_ERRORURL_REDIRECT]]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][handleLogoutFailure][Displaying default failure page.]
smps.log :
[42237/140172045285120][Wed Sep 01 2021 09:11:17][SingleLogoutTunnelServiceHandler.java][ERROR][sm-FedServer-00330] com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.
com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)
smtracedefault.log:
[Resolved all the input parameters][CServer.cpp:6557][42237][140172045285120][09/01/2021][09:11:16][09:11:16.938][CServer::Tunnel][][][][][][][][][][][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][][][][][][][][10.0.0.1][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService',Server='', Device=''][][][][][][][][][]
[Received an SLO message.SamlSloRequestData [sessionId=14CKbhcT13+wQC8Dbt2GFX/s0Hk=,sloMessage=SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlookCxvhWtrvRubWzt%2FPj31snE [...omitted for brevity...] 9vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D, localResource=https://_fed._domain._com/affwebservices/public/saml2slo, localLogout=false, soap=false, hasRelayState=false, commonData=requestId: 273569ff-91856b48-f04185f9-937b9e96-6332c554-879, serviceVersion: 1, serviceMinimumVersion: 0, fedApiVersion: 1, post=false, protocolBinding=, relayState=, disambiguationId=null]][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:16][09:11:16.991][getClientSideInputs][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[decoded input:<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://_fed._domain._com/affwebservices/public/saml2slo" ID="a9d3jf41e4fj3jg2fjg5jhg63965jh" IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> myIssuer</saml2:Issuer><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myNameID </saml2:NameID><saml2p:SessionIndex>14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ== </saml2p:SessionIndex></saml2p:LogoutRequest>][SAMLSingleLogoutInfo.java][42237] [140172045285120][09/01/2021][09:11:17][09:11:17.001][unmarshal][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
"IssueInstant="2021-09-01T07:11:54.583Z"
[SP Info: {AuthenticationLevel=5, [...] SLOServiceURL=https://_fed._domain._com/affwebservices/public/saml2slo][SAMLSingleLogoutInfo.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.010][getProviderInfo][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
"SkewTime=30"
EncryptionCertSerialNumber=1d0000405a30484017b3eb908500030000405a
DSigningAlias=mySignCert
SignatureAlgo=2
DSigVerInfoSerialNumber=1d0000405a30484017b3eb908500030000405a
DSigVerificationAlias=mySignCert
EncryptionCertIssuerDN=CN=MySignName, DC=myDomain, DC=com
KEY_SPID=myIssuer
EncryptionBlockAlgorithm=tripledes
RequireSignedAuthnRequests=0
DSigVerificationSecondaryAlias=mySignCert
Name=myIssuer
DSigVerInfoIssuerDN=CN=MySignName, DC=_domain, DC=_com
PostSignatureOption=2
EncryptionKeyAlgorithm=rsa-v15,
[ Selected Next Provider. Provider ID: null][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.015][getNextProvider][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[ENTER: getIssuerMetada - Type: SP, Issuer: myIssuer][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.017][getIssuerMetadata][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[ENTER: hasIssuerMetadata - Type: IdP, Issuer: myIssuer][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][hasIssuerMetadata][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[ENTER: verify][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][verify][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[ENTER verifySignature][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][verifySignature][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Primary certificate to verify signature: alias: "mySignCert"][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.021][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Signature verification with primary certificate failed with message: Invalid Argument passed to method. ][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Checking for secondary certificate][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Verifying with secondary certificate][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Secondary certificate to verify signature: alias: "mySignCert"][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.
com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)]
[SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.045][setupSession][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
Resolution
- Configure all machines to be on the exact same date and time;
- Ask the SP partner to sign the Logout Request before sending it to the IDP;
Additional Information
Feedback
Yes
No
Powered by
