Error: Invalid Argument passed to method in Logout SAML Federation
search cancel

Error: Invalid Argument passed to method in Logout SAML Federation

book

Article ID: 224354

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running Siteminder in Federation journey as IdP, when a user tries to log out, the browser shows the error:

"An error occurred during the logout process. Please close your browser".

The Federation Service reports an error at the signature verification phase:

Exception when processing an SLO message:
com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.

Environment

 

  1 Policy Server 12.8SP3 on RedHat 7;
    OpenJDK jdk8u252-b09;
  Policy Store on CA Directory 14.1;
  Session Store on CA Directory
    10.195.147.196:4389 10.195.147.197:4389;
  1 CA Access Gateway (SPS) 12.8SP3 on Windows 2016;

 

Cause

 

The configuration has SkewTime=30, the assertion IssueInstant is 2021-09-01T07:11:54.583Z, and the Policy Server time is 38 seconds in the past 09:11:16.938 (1).

The SAMLRequest for the logout is not signed, as it should be (2).

<?xml version="1.0" encoding="UTF-8"?>
  
<saml2p:LogoutRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  Destination="https://_fed._domain._com/affwebservices/public/saml2slo"
  ID="a9d3jf41e4fj3jg2fjg5jhg63965jh"
  IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      myIssuer
    </saml2:Issuer>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
      myNameID
    </saml2:NameID>
    <saml2p:SessionIndex>
      14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
</saml2p:SessionIndex></saml2p:LogoutRequest>

FWSTrace.log :

[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][doGet][Receiving request at SAML2 SLO Logout URL through GET method[CHECKPOINT = SLOSAML2_LOGOUTSERVICEGET_RECEIVE]]

[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][doGet][SLORequest: SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlookCxvhWtrvRubWzt%2FPj31snEDTRB5%2Ba3J5z7jmnHU%2Fe6sp5AY1CyZhQLyAOyFRlQhYxWa9m7pB [...omitted for brevity...] BS8DPEuYyg7eE9s6vNtt0RaOT19vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D]

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
   Destination="https://_fed._domain._com/affwebservices/public/saml2slo"
   ID="a9d3jf41e4fj3jg2fjg5jhg63965jh" IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   myIssuer
   </saml2:Issuer>
   <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
   myNameID
   </saml2:NameID>
   <saml2p:SessionIndex>
   14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ==
   </saml2p:SessionIndex>
</saml2p:LogoutRequest>

[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][doGet][SLORequest: SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlo [...omitted for brevity...] BS8DPEuYyg7eE9s6vNtt0RaOT19vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D]
  
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][handleLogout][RequestID: 273569ff-91856b48-f04185f9-937b9e96-6332c554-879]
  
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SAMLTunnelClient.java][callSingleLogout][Tunnel result code: 1.]
  
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][handleLogout][
  
  TUNNEL STATUS:
     status  : 2
     message : Exception when processing an SLO message: com.netegrity.SAML2Security.DSigException:
               Invalid Argument passed to method.
     
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
  com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245]
  
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][handleLogoutFailure][Redirecting to error handling URL [CHECKPOINT = SLOSAML2_ERRORURL_REDIRECT]]
  
[09/01/2021][09:11:54][9128][4324][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][SLOService.java][handleLogoutFailure][Displaying default failure page.]

smps.log :

[42237/140172045285120][Wed Sep 01 2021 09:11:17][SingleLogoutTunnelServiceHandler.java][ERROR][sm-FedServer-00330] com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.
  
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)

smtracedefault.log:

[Resolved all the input parameters][CServer.cpp:6557][42237][140172045285120][09/01/2021][09:11:16][09:11:16.938][CServer::Tunnel][][][][][][][][][][][13858113-432cc8b4-ef98f6f4-d6ab84c4-a103924b-222][][][][][][][][10.0.0.1][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService',Server='', Device=''][][][][][][][][][]

[Received an SLO message.SamlSloRequestData [sessionId=14CKbhcT13+wQC8Dbt2GFX/s0Hk=,sloMessage=SAMLRequest=dASERFfsda4444ds7eProBQsNGjAQlookCxvhWtrvRubWzt%2FPj31snE [...omitted for brevity...] 9vz4XRjwovZg4%2FB5VPsr%2Bv39jaOdzo%2FmIfpt%2F%2BSfAA%3D, localResource=https://_fed._domain._com/affwebservices/public/saml2slo, localLogout=false, soap=false, hasRelayState=false, commonData=requestId: 273569ff-91856b48-f04185f9-937b9e96-6332c554-879, serviceVersion: 1, serviceMinimumVersion: 0, fedApiVersion: 1, post=false, protocolBinding=, relayState=, disambiguationId=null]][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:16][09:11:16.991][getClientSideInputs][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[decoded input:<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://_fed._domain._com/affwebservices/public/saml2slo" ID="a9d3jf41e4fj3jg2fjg5jhg63965jh" IssueInstant="2021-09-01T07:11:54.583Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> myIssuer</saml2:Issuer><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myNameID </saml2:NameID><saml2p:SessionIndex>14CKbhcT13+wQC8Dbt2GFX/s0Hk=/UmyuQ== </saml2p:SessionIndex></saml2p:LogoutRequest>][SAMLSingleLogoutInfo.java][42237] [140172045285120][09/01/2021][09:11:17][09:11:17.001][unmarshal][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    "IssueInstant="2021-09-01T07:11:54.583Z"

[SP Info:  {AuthenticationLevel=5, [...] SLOServiceURL=https://_fed._domain._com/affwebservices/public/saml2slo][SAMLSingleLogoutInfo.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.010][getProviderInfo][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
 
    "SkewTime=30"

     EncryptionCertSerialNumber=1d0000405a30484017b3eb908500030000405a
     DSigningAlias=mySignCert
     SignatureAlgo=2
     DSigVerInfoSerialNumber=1d0000405a30484017b3eb908500030000405a
     DSigVerificationAlias=mySignCert
     EncryptionCertIssuerDN=CN=MySignName, DC=myDomain, DC=com
     KEY_SPID=myIssuer
     EncryptionBlockAlgorithm=tripledes
     RequireSignedAuthnRequests=0
     DSigVerificationSecondaryAlias=mySignCert
     Name=myIssuer
     DSigVerInfoIssuerDN=CN=MySignName, DC=_domain, DC=_com
     PostSignatureOption=2
     EncryptionKeyAlgorithm=rsa-v15,

[ Selected Next Provider. Provider ID: null][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.015][getNextProvider][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[ENTER: getIssuerMetada - Type: SP, Issuer: myIssuer][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.017][getIssuerMetadata][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[ENTER: hasIssuerMetadata - Type: IdP, Issuer: myIssuer][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][hasIssuerMetadata][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[ENTER: verify][SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][verify][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[ENTER verifySignature][SAMLSingleLogoutInputMessage.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.020][verifySignature][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
[Primary certificate to verify signature: alias: "mySignCert"][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.021][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
[Signature verification with primary certificate failed with message: Invalid Argument passed to method. ][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
[Checking for secondary certificate][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
[Verifying with secondary certificate][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
[Secondary certificate to verify signature: alias: "mySignCert"][SignatureProcessor.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.024][verifyFromHTTP][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  
[com.netegrity.SAML2Security.DSigException: Invalid Argument passed to method.
  com.netegrity.SAML2Security.DSigVerifier.VerifyFromHTTP(Unknown Source)
  com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.doVerifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verifySignature(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutInputMessage.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.verify(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.setupSession(Unknown Source)
  com.netegrity.federationps.tunnel.SingleLogoutTunnelServiceHandler.tunnelHandler(Unknown Source)
  com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService.tunnel(Unknown Source)
  
  com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)]

[SingleLogoutTunnelServiceHandler.java][42237][140172045285120][09/01/2021][09:11:17][09:11:17.045][setupSession][][][][][][][][][][][273569ff-91856b48-f04185f9-937b9e96-6332c554-879][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

Resolution

 

  • Configure all machines to be on the exact same date and time;
  • Ask the SP partner to sign the Logout Request before sending it to the IDP;

Additional Information

 

(1)

    Skew Time
    

(2)

    Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0