Assertion signature verification fails in Legacy Federation
search cancel

Assertion signature verification fails in Legacy Federation

book

Article ID: 227814

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

After upgrading the Policy Server from 12.7 to 12.8.5, a Legacy Federation configuration in which SiteMinder is acting as IDP is no longer working.

The Policy Server can no longer verify the assertion's signature.

The IDP has not changed anything about the assertion, including the private key used for signing.

smtracedefault.log:

[e1088b2d-66268fa1-cc51dc66-7cbfb155-9d504609-1][][][][11/02/2021][][][][][][717788][][][][][][][][][][][140675697846016][][][][][verifyXML][Signature verification Failure stacktrace : com.netegrity.SAML2Security.DSigException: Error in DSigVerifier: cert not found or sig not verified - No certificate found in DB for issuerName: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US  serialNumber:  e2aeff621ddc3f5c - 
 at com.netegrity.SAML2Security.DSigVerifier.VerifyXML_KS(Unknown Source)
 at com.netegrity.SAML2Security.DSigVerifier.VerifyXML(Unknown Source)
 at com.netegrity.SAML2Security.DSigVerifier.VerifyXML(Unknown Source)
 at com.netegrity.SAML2Security.SignatureProcessor.verifyXMLWithIssuerNameAndSerialNumber(Unknown Source)

[e1088b2d-66268fa1-cc51dc66-7cbfb155-9d504609-1][][][][11/02/2021][][][][][][717788][][][][][][][][][][][140675697846016][][][][][verifyXML][Signature verification with primary certificate failed with message: Error in DSigVerifier: cert not found or sig not verified - No certificate found in DB for issuerName: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US  serialNumber:  e2aeff621ddc3f5c - ][][][][][][][][][][][][][][][16:41:41.155][][][][][][][][][][][][SignatureProcessor.java][][][][][][][][][][]

Environment

 

Policy Server 12.8SP05

 

Cause

 

The third-party code used by the Policy Server to process X509 certificates changed between releases 12.7 and 12.8.

In 12.8, the Policy Server requires double quotes around certificate DN values within Legacy Federation configurations (SAML Auth Scheme in this use case) that contain commas or other special characters, whereas 12.7 could process such certificates without the quotes.

 

Resolution

 

In 12.7, the Issuer DN of the verification certificate for the SAMl Auth Scheme could be specified as follows:

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US

In 12.8, the same DN needs to be specified as follows:

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US

 

Additional Information

 

Please note that CA/Broadcom stopped enhancing Legacy Federation when Partnership Federation was introduced.

If you are implementing a new configuration, using Partnership Federation rather than Legacy is highly recommended.

 

Powered by Wolken Software