Error: Invalid Argument passed to method in Logout SAML Federation Policy Server
search cancel

Error: Invalid Argument passed to method in Logout SAML Federation Policy Server

book

Article ID: 224354

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

When running a Policy Server in Federation journey as IdP, when a user tries to log out, the browser shows the error:

"An error occurred during the logout process. Please close your browser".

The Federation Service reports an error in the signature verification phase:

Exception when processing an SLO message:

com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.

Cause

The configuration has SkewTime=30, the assertion IssueInstant is 2021-09-01T07:11:54.583Z, and the Policy Server time is 38 seconds in the past 09:11:16.938 (1).

The SAMLRequest for the logout is not signed, as it should be (2).

<?xml version="1.0" encoding="UTF-8"?>
  <saml2p:LogoutRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  Destination="https://fed.example.com/affwebservices/public/saml2slo"
  ID="<value>"
  IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <issuer>
    </saml2:Issuer>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
      <nameid>
    </saml2:NameID>
    <saml2p:SessionIndex>
      <value>
</saml2p:SessionIndex></saml2p:LogoutRequest>

FWSTrace.log :

[09/01/2021][09:11:54][9128][4324][][SLOService.java][doGet][Receiving request at SAML2 SLO Logout URL through GET method[CHECKPOINT = SLOSAML2_LOGOUTSERVICEGET_RECEIVE]]
[09/01/2021][09:11:54][9128][4324][][SLOService.java][doGet][SLORequest: SAMLRequest=<value>]

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
   Destination="https://fed.example.com/affwebservices/public/saml2slo"
   ID="<id>" IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   <issuer>
   </saml2:Issuer>
   <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
   <nameid>
   </saml2:NameID>
   <saml2p:SessionIndex>
   <value>
   </saml2p:SessionIndex>
</saml2p:LogoutRequest>

[09/01/2021][09:11:54][9128][4324][][SLOService.java][doGet][SLORequest: SAMLRequest=<value>]
[09/01/2021][09:11:54][9128][4324][][SLOService.java][handleLogout][RequestID: <value>]
[09/01/2021][09:11:54][9128][4324][][SAMLTunnelClient.java][callSingleLogout][Tunnel result code: 1.]
[09/01/2021][09:11:54][9128][4324][][SLOService.java][handleLogout][
  
  TUNNEL STATUS:
     status  : 2
     message : Exception when processing an SLO message: com.netegrity.SAML2Security.DSigException:
               Invalid Argument passed to method.
     
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
  
[09/01/2021][09:11:54][9128][4324][][SLOService.java][handleLogoutFailure][Redirecting to error handling URL [CHECKPOINT = SLOSAML2_ERRORURL_REDIRECT]]
[09/01/2021][09:11:54][9128][4324][][SLOService.java][handleLogoutFailure][Displaying default failure page.]

smps.log :

[42237/140172045285120][Wed Sep 01 2021 09:11:17][SingleLogoutTunnelServiceHandler.java][ERROR][sm-FedServer-00330] com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.
  
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)

smtracedefault.log:

[Resolved all the input parameters][CServer.cpp:6557][42237][140172045285120][09/01/2021][09:11:16][09:11:16.938][CServer::Tunnel][][][][][][][][][][][][][][][][][][][10.0.0.1][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService',Server='', Device='']
[Received an SLO message.SamlSloRequestData [sessionId=<value>,sloMessage=SAMLRequest=<value>, localResource=https://fed.example.com/affwebservices/public/saml2slo, localLogout=false, soap=false, hasRelayState=false, commonData=requestId: <value>, serviceVersion: 1, serviceMinimumVersion: 0, fedApiVersion: 1, post=false, protocolBinding=, relayState=, disambiguationId=null]][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:16][09:11:16.991][getClientSideInputs]
[decoded input:<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://fed.example.com/affwebservices/public/saml2slo" ID="<value>" IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><issuer></saml2:Issuer><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><nameid></saml2:NameID><saml2p:SessionIndex><value></saml2p:SessionIndex></saml2p:LogoutRequest>][SAMLSingleLogoutInfo.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.001][unmarshal]

    "IssueInstant="2021-09-01T07:11:54.583Z"

[SP Info:  {AuthenticationLevel=5, [...] SLOServiceURL=https://fed.example.com/affwebservices/public/saml2slo][SAMLSingleLogoutInfo.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.010][getProviderInfo]
 
    "SkewTime=30"

     EncryptionCertSerialNumber=<number>
     DSigningAlias=<alias>
     SignatureAlgo=2
     DSigVerInfoSerialNumber=<number>
     DSigVerificationAlias=<alias>

[Selected Next Provider. Provider ID: null][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.015][getNextProvider]
[ENTER: getIssuerMetada - Type: SP, Issuer: <issuer>][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.017][getIssuerMetadata]
[ENTER: hasIssuerMetadata - Type: IdP, Issuer: <issuer>][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][hasIssuerMetadata]
[ENTER: verify][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][verify]
[ENTER verifySignature][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][verifySignature]
[Primary certificate to verify signature: alias: "<alias>"][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.021][verifyFromHTTP]
[Signature verification with primary certificate failed with message: Invalid Argument passed to method. ][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP]
[Checking for secondary certificate][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP]
[Verifying with secondary certificate][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP]
[Secondary certificate to verify signature: alias: "<alias>"][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP]
  
[com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method. 
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
  
  com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)]

[SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.045][setupSession]

Resolution

  • Configure all machines to be on the exact same date and time;
  • Ask the SP partner to sign the Logout Request before sending it to the IDP.

Additional Information

Powered by Wolken Software