When running Siteminder in Federation journey as IdP, when user tries to
logout, the browser shows error :
"An error occurred during the logout process. Please close your browser".
The Federation Service reports error at signature verification
phase :
Exception when processing an SLO message:
com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.
The configuration has SkewTime=30, the assertion IssueInstant is
2021-09-01T07:11:54.583Z and Policy Server time is 38 seconds in the
past 09:11:16.938 (1).
The SAMLRequest for the logout is not signed, as it should be (2).
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://myfedhost.mydomain.com/affwebservices/public/saml2slo"
ID="a9d3jf41e4fj3jg2fjg5jhg63965jh"
IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
myIssuer
</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
myNameID
</saml2:NameID>
<saml2p:SessionIndex>
14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
</saml2p:SessionIndex></saml2p:LogoutRequest>
FWSTrace.log :
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
[SLOService.java][doGet][Receiving request at SAML2 SLO Logout URL through GET method
[CHECKPOINT = SLOSAML2_LOGOUTSERVICEGET_RECEIVE]]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
[SLOService.java][doGet][SLORequest: SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlo
okCxvhWtrvRubWzt%2FPj31snEDTRB5%2Ba3J5z7jmnHU%2Fe6sp5AY1CyZhQLyAOyFRlQhYxWa9m7pB
MkjHyugobtlCFas0dPLeAxrFMiezrKiatlkxxFMgkrwGZSdny7HrBQi9gjVZGpaoiztQSheSm27Y1pkH
m%2B1jz1mxp6Gkw4BkLdasSserwSSGQb%2BIFNBv2k0lUr9biJUiznwaEz7KojLvUejlZVQWYV4W%2F
XJbDKLRwJ4Wg9jCXKLh0sQkDELqBiM3oKvglFHK%2Bj2vP4weiXO%2Fr8D6JbvArCPr46B%2F5%2BRoz
X5mI4lqtMCnsX8stJe9scT59D%2Byzkzpmpvf4dSj3URkbt5BWSuxgVTkAjKS1Kqy7Wu19%2FXl5PC%2
BS8DPEuYyg7eE9s6vNtt0RaOT19vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D]
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://myfedhost.mydomain.com/affwebservices/public/saml2slo"
ID="a9d3jf41e4fj3jg2fjg5jhg63965jh" IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
myIssuer
</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
myNameID
</saml2:NameID>
<saml2p:SessionIndex>
14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
</saml2p:SessionIndex>
</saml2p:LogoutRequest>
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
[SLOService.java][doGet][SLORequest: SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlo
okCxvhWtrvRubWzt%2FPj31snEDTRB5%2Ba3J5z7jmnHU%2Fe6sp5AY1CyZhQLyAOyFRlQhYxWa9m7pB
MkjHyugobtlCFas0dPLeAxrFMiezrKiatlkxxFMgkrwGZSdny7HrBQi9gjVZGpaoiztQSheSm27Y1pkH
m%2B1jz1mxp6Gkw4BkLdasSserwSSGQb%2BIFNBv2k0lUr9biJUiznwaEz7KojLvUejlZVQWYV4W%2F
XJbDKLRwJ4Wg9jCXKLh0sQkDELqBiM3oKvglFHK%2Bj2vP4weiXO%2Fr8D6JbvArCPr46B%2F5%2BRoz
X5mI4lqtMCnsX8stJe9scT59D%2Byzkzpmpvf4dSj3URkbt5BWSuxgVTkAjKS1Kqy7Wu19%2FXl5PC%2
BS8DPEuYyg7eE9s6vNtt0RaOT19vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
[SLOService.java][handleLogout][RequestID: 273569ff-91856b48-f04185f9-937b9e96-6332c554-879]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
[SAMLTunnelClient.java][callSingleLogout][Tunnel result code: 1.]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
[SLOService.java][handleLogout][
TUNNEL STATUS:
status : 2
message : Exception when processing an SLO message: com.netegrity.SAML2Security.DSigException:
Invalid Argument passed to method.
com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
[SLOService.java][handleLogoutFailure][Redirecting to error handling URL
[CHECKPOINT = SLOSAML2_ERRORURL_REDIRECT]]
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222]
[SLOService.java][handleLogoutFailure][Displaying default failure page.]
smps.log :
[42237/140172045285120][Wed Sep 01 2021 09:11:17][SingleLogoutTunnelServiceHandler.java]
[ERROR][sm-FedServer-00330] com.netegrity.SAML2Security.DSigException:
Invalid Argument passed to method.
com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)
smtracedefault_20210901_091133.log :
[Resolved all the input parameters][CServer.cpp:6557][42237][140172045285120]
[09/01/2021][09:11:16][09:11:16.938][CServer::Tunnel][][][][][][][][][][]
[13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][][][][][][][][10.195.145.68][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService',
Server='', Device=''][][][][][][][][][]
[Received an SLO message.SamlSloRequestData [sessionId=14CKbhcT13+wQC8Dbt2GFX/s0Hk=,
sloMessage=SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlookCxvhWtrvRubWzt%2FPj31snE
DTRB5%2Ba3J5z7jmnHU%2Fe6sp5AY1CyZhQLyAOyFRlQhYxWa9m7pBMkjHyugobtlCFas0dPLeAxrFMi
ezrKiatlkxxFMgkrwGZSdny7HrBQi9gjVZGpaoiztQSheSm27Y1pkHm%2B1jz1mxp6Gkw4BkLaRQa8Hm
ev8IGQb%2BIFNBv2k0lUr9biJUiznwaEz7KojLvUejlZVQWYV4W%2FXJbDKLRwJ4Wg9jCXKLh0sQkDEL
qBiM3oKvglFHK%2Bj2vP4weiXO%2Fr8D6JbvArCPr46B%2F5%2BRozX5mI4lqtMCnsX8stJe9scT59D%
2Byzkzpmpvf4dSj3URkbt5BWSuxgVTkAjKS1Kqy7Wu19%2FXl5PC%2BS8DPEuYyg7eE9s6vNtt0RaOT1
9vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D,
localResource=https://myfedhost.mydomain.com/affwebservices/public/saml2slo,
localLogout=false, soap=false, hasRelayState=false, commonData=requestId:
273569ff-91856b48-f04185f9-937b9e96-6332c554-879, serviceVersion: 1,
serviceMinimumVersion: 0, fedApiVersion: 1, post=false, protocolBinding=,
relayState=, disambiguationId=null]][SingleLogoutTunnelServiceHandler.java][42237]
[140172045285120][09/01/2021][09:11:16][09:11:16.991][getClientSideInputs][][][]
[][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[decoded input:<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://myfedhost.mydomain.com/affwebservices/public/saml2slo"
ID="a9d3jf41e4fj3jg2fjg5jhg63965jh" IssueInstant="2021-09-01T07:11:54.583Z"
Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
myIssuer</saml2:Issuer><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myNameID
</saml2:NameID><saml2p:SessionIndex>14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
</saml2p:SessionIndex></saml2p:LogoutRequest>][SAMLSingleLogoutInfo.java][42237]
[140172045285120][09/01/2021][09:11:17][09:11:17.001][unmarshal][][][][][][][][]
[][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
"IssueInstant="2021-09-01T07:11:54.583Z"
[SP Info: {AuthenticationLevel=5, [...] SLOServiceURL=https://myfedhost.mydomain.com/
affwebservices/public/saml2slo][SAMLSingleLogoutInfo.java][42237][140172045285120]
[09/01/2021][09:11:17][09:11:17.010][getProviderInfo][][][][][][][][][][]
[273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
"SkewTime=30"
EncryptionCertSerialNumber=1d0000405a30484017b3eb908500030000405a
DSigningAlias=mySignCert
SignatureAlgo=2
DSigVerInfoSerialNumber=1d0000405a30484017b3eb908500030000405a
DSigVerificationAlias=mySignCert
EncryptionCertIssuerDN=CN=MySignName, DC=myDomain, DC=com
KEY_SPID=myIssuer
EncryptionBlockAlgorithm=tripledes
RequireSignedAuthnRequests=0
DSigVerificationSecondaryAlias=mySignCert
Name=myIssuer
DSigVerInfoIssuerDN=CN=MySignName, DC=myDomain, DC=com
PostSignatureOption=2
EncryptionKeyAlgorithm=rsa-v15,
[ Selected Next Provider. Provider ID: null][SingleLogoutTunnelServiceHandler.java][42237]
[140172045285120][09/01/2021][09:11:17][09:11:17.015][getNextProvider][][][][][][][][][][]
[273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][]
[ENTER: getIssuerMetada - Type: SP, Issuer: myIssuer][SAMLSingleLogoutInputMessage.java]
[42237][140172045285120][09/01/2021][09:11:17][09:11:17.017][getIssuerMetadata][][][]
[][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[ENTER: hasIssuerMetadata - Type: IdP, Issuer: myIssuer][SAMLSingleLogoutInputMessage.java]
[42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][hasIssuerMetadata][][][][][]
[][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[ENTER: verify][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021]
[09:11:17][09:11:17.020][verify][][][][][][][][][][]
[273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][]
[ENTER verifySignature][SAMLSingleLogoutInputMessage.java][42237][140172045285120]
[09/01/2021][09:11:17][09:11:17.020][verifySignature][][][][][][][][][][]
[273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Primary certificate to verify signature: alias: "mySignCert"][SignatureProcessor.java]
[42237][140172045285120][09/01/2021][09:11:17][09:11:17.021][verifyFromHTTP][][][][][][][][]
[][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Signature verification with primary certificate failed with message:
Invalid Argument passed to method. ][SignatureProcessor.java][42237][140172045285120]
[09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][]
[273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[Checking for secondary certificate][SignatureProcessor.java][42237][140172045285120]
[09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][]
[273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Verifying with secondary certificate][SignatureProcessor.java][42237][140172045285120]
[09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][]
[273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Secondary certificate to verify signature: alias: "mySignCert"][SignatureProcessor.java]
[42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][]
[][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.
com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)]
[SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.045]
[setupSession][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
1 Policy Server 12.8SP3 on RedHat 7;
OpenJDK jdk8u252-b09;
Policy Store on CA Directory 14.1;
Session Store on CA Directory
10.195.147.196:4389 10.195.147.197:4389;
1 CA Access Gateway (SPS) 12.8SP3 on Windows 2016;
- Configure all machines to be the exact same date and time;
- Ask the SP partner to sign the Logout Request before sending it to
the IDP;
(1)
Skew Time
Specifies the number of seconds (as a positive integer) added and
subtracted from the current clock time. This adjustment is to account
for Service Providers with clocks that are not synchronized with the
Identity Provider. The skew time and the Validity Duration determine
how the Policy Server calculates the total time that an assertion is
valid.
To determine the assertion validity, the skew time is subtracted from
the assertion generation time (IssueInstant) to get the NotBefore
time. The skew time is then added to the validity duration and the
IssueInstant to get the NotOnOrAfter time. The following equations
illustrate how the skew time is used:
NotBefore=IssueInstant - Skew Time
NotOnOrAfter=Validity Duration + Skew Time + IssueInstant
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/legacy-federation-reference/saml-2-0-service-provider-reference/saml-service-provider-general-settings.html
(2)
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
The <LogoutRequest> message SHOULD be signed or otherwise
authenticated and integrity protected by the protocol binding
used to deliver the message.
p.60
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf