Error : Invalid Argument passed to method in Logout SAML Federation

book

Article ID: 224354

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

 

When running Siteminder in Federation journey as IdP, when user tries to
logout, the browser shows error :

  "An error occurred during the logout process. Please close your browser".

The Federation Service reports error at signature verification
phase :

  Exception when processing an SLO message:
  com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.

 

Cause

 

The configuration has SkewTime=30, the assertion IssueInstant is
2021-09-01T07:11:54.583Z and Policy Server time is 38 seconds in the
past 09:11:16.938 (1).

The SAMLRequest for the logout is not signed, as it should be (2).

  <?xml version="1.0" encoding="UTF-8"?>
  
  <saml2p:LogoutRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  Destination="https://myfedhost.mydomain.com/affwebservices/public/saml2slo"
  ID="a9d3jf41e4fj3jg2fjg5jhg63965jh"
  IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      myIssuer
    </saml2:Issuer>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
      myNameID
    </saml2:NameID>
    <saml2p:SessionIndex>
      14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
  </saml2p:SessionIndex></saml2p:LogoutRequest>

FWSTrace.log :

  [09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
  [SLOService.java][doGet][Receiving request at SAML2 SLO Logout URL through GET method
  [CHECKPOINT = SLOSAML2_LOGOUTSERVICEGET_RECEIVE]]

  [09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
  [SLOService.java][doGet][SLORequest: SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlo
  okCxvhWtrvRubWzt%2FPj31snEDTRB5%2Ba3J5z7jmnHU%2Fe6sp5AY1CyZhQLyAOyFRlQhYxWa9m7pB
  MkjHyugobtlCFas0dPLeAxrFMiezrKiatlkxxFMgkrwGZSdny7HrBQi9gjVZGpaoiztQSheSm27Y1pkH
  m%2B1jz1mxp6Gkw4BkLdasSserwSSGQb%2BIFNBv2k0lUr9biJUiznwaEz7KojLvUejlZVQWYV4W%2F
  XJbDKLRwJ4Wg9jCXKLh0sQkDELqBiM3oKvglFHK%2Bj2vP4weiXO%2Fr8D6JbvArCPr46B%2F5%2BRoz
  X5mI4lqtMCnsX8stJe9scT59D%2Byzkzpmpvf4dSj3URkbt5BWSuxgVTkAjKS1Kqy7Wu19%2FXl5PC%2
  BS8DPEuYyg7eE9s6vNtt0RaOT19vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D]

   <?xml version="1.0" encoding="UTF-8"?>
   <saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
   Destination="https://myfedhost.mydomain.com/affwebservices/public/saml2slo"
   ID="a9d3jf41e4fj3jg2fjg5jhg63965jh" IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   myIssuer
   </saml2:Issuer>
   <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
   myNameID
   </saml2:NameID>
   <saml2p:SessionIndex>
   14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
   </saml2p:SessionIndex>
   </saml2p:LogoutRequest>

  [09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
  [SLOService.java][doGet][SLORequest: SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlo
  okCxvhWtrvRubWzt%2FPj31snEDTRB5%2Ba3J5z7jmnHU%2Fe6sp5AY1CyZhQLyAOyFRlQhYxWa9m7pB
  MkjHyugobtlCFas0dPLeAxrFMiezrKiatlkxxFMgkrwGZSdny7HrBQi9gjVZGpaoiztQSheSm27Y1pkH
  m%2B1jz1mxp6Gkw4BkLdasSserwSSGQb%2BIFNBv2k0lUr9biJUiznwaEz7KojLvUejlZVQWYV4W%2F
  XJbDKLRwJ4Wg9jCXKLh0sQkDELqBiM3oKvglFHK%2Bj2vP4weiXO%2Fr8D6JbvArCPr46B%2F5%2BRoz
  X5mI4lqtMCnsX8stJe9scT59D%2Byzkzpmpvf4dSj3URkbt5BWSuxgVTkAjKS1Kqy7Wu19%2FXl5PC%2
  BS8DPEuYyg7eE9s6vNtt0RaOT19vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D]
  
  [09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
  [SLOService.java][handleLogout][RequestID: 273569ff-91856b48-f04185f9-937b9e96-6332c554-879]
  
  [09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
  [SAMLTunnelClient.java][callSingleLogout][Tunnel result code: 1.]
  
  [09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
  [SLOService.java][handleLogout][
  
  TUNNEL STATUS:
     status  : 2
     message : Exception when processing an SLO message: com.netegrity.SAML2Security.DSigException:
               Invalid Argument passed to method.
     
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
  com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245]
  
  [09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
  [SLOService.java][handleLogoutFailure][Redirecting to error handling URL
  [CHECKPOINT = SLOSAML2_ERRORURL_REDIRECT]]
  
  [09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
  [SLOService.java][handleLogoutFailure][Displaying default failure page.]

smps.log :

  [42237/140172045285120][Wed Sep 01 2021 09:11:17][SingleLogoutTunnelServiceHandler.java]
  [ERROR][sm-FedServer-00330] com.netegrity.SAML2Security.DSigException:
  Invalid Argument passed to method.
  
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
  com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)
  


smtracedefault_20210901_091133.log :

  [Resolved all the input parameters][CServer.cpp:6557][42237][140172045285120]
  [09/01/2021][09:11:16][09:11:16.938][CServer::Tunnel][][][][][][][][][][]
  [13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][][][][][][][][10.195.145.68][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService',
  Server='', Device=''][][][][][][][][][]

  [Received an SLO message.SamlSloRequestData [sessionId=14CKbhcT13+wQC8Dbt2GFX/s0Hk=,
  sloMessage=SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlookCxvhWtrvRubWzt%2FPj31snE
  DTRB5%2Ba3J5z7jmnHU%2Fe6sp5AY1CyZhQLyAOyFRlQhYxWa9m7pBMkjHyugobtlCFas0dPLeAxrFMi
  ezrKiatlkxxFMgkrwGZSdny7HrBQi9gjVZGpaoiztQSheSm27Y1pkHm%2B1jz1mxp6Gkw4BkLaRQa8Hm
  ev8IGQb%2BIFNBv2k0lUr9biJUiznwaEz7KojLvUejlZVQWYV4W%2FXJbDKLRwJ4Wg9jCXKLh0sQkDEL
  qBiM3oKvglFHK%2Bj2vP4weiXO%2Fr8D6JbvArCPr46B%2F5%2BRozX5mI4lqtMCnsX8stJe9scT59D%
  2Byzkzpmpvf4dSj3URkbt5BWSuxgVTkAjKS1Kqy7Wu19%2FXl5PC%2BS8DPEuYyg7eE9s6vNtt0RaOT1
  9vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D,
  localResource=https://myfedhost.mydomain.com/affwebservices/public/saml2slo,
  localLogout=false, soap=false, hasRelayState=false, commonData=requestId:
  273569ff-91856b48-f04185f9-937b9e96-6332c554-879, serviceVersion: 1,
  serviceMinimumVersion: 0, fedApiVersion: 1, post=false, protocolBinding=,
  relayState=, disambiguationId=null]][SingleLogoutTunnelServiceHandler.java][42237]
  [140172045285120][09/01/2021][09:11:16][09:11:16.991][getClientSideInputs][][][]
  [][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [decoded input:<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  Destination="https://myfedhost.mydomain.com/affwebservices/public/saml2slo"
  ID="a9d3jf41e4fj3jg2fjg5jhg63965jh" IssueInstant="2021-09-01T07:11:54.583Z"
  Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  myIssuer</saml2:Issuer><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myNameID
  </saml2:NameID><saml2p:SessionIndex>14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
  </saml2p:SessionIndex></saml2p:LogoutRequest>][SAMLSingleLogoutInfo.java][42237]
  [140172045285120][09/01/2021][09:11:17][09:11:17.001][unmarshal][][][][][][][][]
  [][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    "IssueInstant="2021-09-01T07:11:54.583Z"

  [SP Info:  {AuthenticationLevel=5, [...] SLOServiceURL=https://myfedhost.mydomain.com/
  affwebservices/public/saml2slo][SAMLSingleLogoutInfo.java][42237][140172045285120]
  [09/01/2021][09:11:17][09:11:17.010][getProviderInfo][][][][][][][][][][]
  [273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
 
    "SkewTime=30"

     EncryptionCertSerialNumber=1d0000405a30484017b3eb908500030000405a
     DSigningAlias=mySignCert
     SignatureAlgo=2
     DSigVerInfoSerialNumber=1d0000405a30484017b3eb908500030000405a
     DSigVerificationAlias=mySignCert
     EncryptionCertIssuerDN=CN=MySignName, DC=myDomain, DC=com
     KEY_SPID=myIssuer
     EncryptionBlockAlgorithm=tripledes
     RequireSignedAuthnRequests=0
     DSigVerificationSecondaryAlias=mySignCert
     Name=myIssuer
     DSigVerInfoIssuerDN=CN=MySignName, DC=myDomain, DC=com
     PostSignatureOption=2
     EncryptionKeyAlgorithm=rsa-v15,

  [ Selected Next Provider. Provider ID: null][SingleLogoutTunnelServiceHandler.java][42237]
  [140172045285120][09/01/2021][09:11:17][09:11:17.015][getNextProvider][][][][][][][][][][]
  [273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [ENTER: getIssuerMetada - Type: SP, Issuer: myIssuer][SAMLSingleLogoutInputMessage.java]
  [42237][140172045285120][09/01/2021][09:11:17][09:11:17.017][getIssuerMetadata][][][]
  [][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [ENTER: hasIssuerMetadata - Type: IdP, Issuer: myIssuer][SAMLSingleLogoutInputMessage.java]
  [42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][hasIssuerMetadata][][][][][]
  [][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [ENTER: verify][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021]
  [09:11:17][09:11:17.020][verify][][][][][][][][][][]
  [273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [ENTER verifySignature][SAMLSingleLogoutInputMessage.java][42237][140172045285120]
  [09/01/2021][09:11:17][09:11:17.020][verifySignature][][][][][][][][][][]
  [273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
  [Primary certificate to verify signature: alias: "mySignCert"][SignatureProcessor.java]
  [42237][140172045285120][09/01/2021][09:11:17][09:11:17.021][verifyFromHTTP][][][][][][][][]
  [][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
  [Signature verification with primary certificate failed with message:
  Invalid Argument passed to method. ][SignatureProcessor.java][42237][140172045285120]
  [09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][]
  [273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][]
  
  [Checking for secondary certificate][SignatureProcessor.java][42237][140172045285120]
  [09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][]
  [273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
  [Verifying with secondary certificate][SignatureProcessor.java][42237][140172045285120]
  [09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][]
  [273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
  [Secondary certificate to verify signature: alias: "mySignCert"][SignatureProcessor.java]
  [42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][]
  [][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
  [com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method. 
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
  
  com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)]
  [SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.045]
  [setupSession][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

Environment

 

  1 Policy Server 12.8SP3 on RedHat 7;
    OpenJDK jdk8u252-b09;
  Policy Store on CA Directory 14.1;
  Session Store on CA Directory
    10.195.147.196:4389 10.195.147.197:4389;
  1 CA Access Gateway (SPS) 12.8SP3 on Windows 2016;

 

Resolution

 

- Configure all machines to be the exact same date and time;

- Ask the SP partner to sign the Logout Request before sending it to
  the IDP;

 

Additional Information

 

(1)

    Skew Time

      Specifies the number of seconds (as a positive integer) added and
      subtracted from the current clock time. This adjustment is to account
      for Service Providers with clocks that are not synchronized with the
      Identity Provider. The skew time and the Validity Duration determine
      how the Policy Server calculates the total time that an assertion is
      valid.

      To determine the assertion validity, the skew time is subtracted from
      the assertion generation time (IssueInstant) to get the NotBefore
      time. The skew time is then added to the validity duration and the
      IssueInstant to get the NotOnOrAfter time. The following equations
      illustrate how the skew time is used:

      NotBefore=IssueInstant - Skew Time
      NotOnOrAfter=Validity Duration + Skew Time + IssueInstant

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/legacy-federation-reference/saml-2-0-service-provider-reference/saml-service-provider-general-settings.html

(2)

    Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0

      The <LogoutRequest> message SHOULD be signed or otherwise
      authenticated and integrity protected by the protocol binding
      used to deliver the message.

      p.60

    https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf