ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Legacy Federation is failing assertion signature verification after upgrade from 12.7 to 12.8

book

Article ID: 227814

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

After upgrading the policy server from 12.7 to 12.8.5, a Legacy Federation configuration in which Siteminder is acting as IDP is no longer working.  The policy server can no longer verify the assertion's signature.  The IDP has not changed anything about the assertion, including the private key used for signing.

Logs:

[e1088b2d-66268fa1-cc51dc66-7cbfb155-9d504609-1][][][][11/02/2021][][][][][][717788][][][][][][][][][][][140675697846016][][][][][verifyXML][Signature verification Failure stacktrace : com.netegrity.SAML2Security.DSigException: Error in DSigVerifier: cert not found or sig not verified - No certificate found in DB for issuerName: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US  serialNumber:  e2aeff621ddc3f5c - 
 at com.netegrity.SAML2Security.DSigVerifier.VerifyXML_KS(Unknown Source)
 at com.netegrity.SAML2Security.DSigVerifier.VerifyXML(Unknown Source)
 at com.netegrity.SAML2Security.DSigVerifier.VerifyXML(Unknown Source)
 at com.netegrity.SAML2Security.SignatureProcessor.verifyXMLWithIssuerNameAndSerialNumber(Unknown Source)


[e1088b2d-66268fa1-cc51dc66-7cbfb155-9d504609-1][][][][11/02/2021][][][][][][717788][][][][][][][][][][][140675697846016][][][][][verifyXML][Signature verification with primary certificate failed with message: Error in DSigVerifier: cert not found or sig not verified - No certificate found in DB for issuerName: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US  serialNumber:  e2aeff621ddc3f5c - ][][][][][][][][][][][][][][][16:41:41.155][][][][][][][][][][][][SignatureProcessor.java][][][][][][][][][][]



Cause

The third-party code used by the policy server to process X509 certificates changed between release 12.7 and 12.8.  In 12.8, the policy server is requiring double quotes around certificate DN values within Legacy Federation configurations (SAML Auth Scheme in this use case) that contain commas or other special characters, whereas 12.7 could process such certificates without the quotes.

Environment

Release : 12.8.05

Component : SITEMINDER -POLICY SERVER

Resolution

In 12.7, the Issuer DN of the verification certificate for the SAMl Auth Scheme could be specified as follows:
CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US

In 12.8, the same DN needs to be specified as follows:
CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US

Additional Information

Please note that CA/Broadcom stopped enhancing Legacy Federation when Partnership Federation was introduced.  If you are implementing a new configuration, it's highly recommended to use Partnership Federation rather than Legacy.