When running Federation Services as IdP, when this one receives a SAML SLO request, the request fails and the Federation Service reports the error:

[02/16/2022][15:22:28][89026][140361701930752][9f5d957a-b35d7a17-0eda046c-592ae632-c21a894e-c6][SLOService.java][handleLogoutFailure][Signature is invalid on an SLO message. Session ID: <Session_id_value1>= Issuer: SP:https://host1.example.com]

  Policy Server 12.8SP3 on CentOS 8;
    JDK1.8.0_151;
  CA Access Gateway (SPS) 12.8SP3 on CentOS 8;

The problem is that the SLO SAMLRequest is signed with a different certificate than the one set in the Policy Store to verify the signature.

fiddler.saz :

Line 20 :

GET https://idp.example.com/affwebservices/public/saml2slo?SAMLRequest=nZL [...] 8rz34B&RelayState=8eeee9 [...] 8729a37b3c0&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=pDHXi%2FZ [...] 9Li2AkCFXjqVAnY%2Fng%3D%3D
SMSESSION=<SM_session>
SMIDENTITY=<SM_Identity>

  HTTP/1.1 200 OK
  Date: Mon, 28 Feb 2022 17:15:08 GMT
  Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q-fips mod_jk/1.2.46

  An error occurred during the logout process. Close the browser.

affwebserv.log
  

[104892/140119244351232][Mon Feb 28 2022 17:15:09][SLOService.java][ERROR][sm-FedClient-02180] "Error occurred during single logout. Message:  Signature is invalid on an SLO message. Session ID: <Session_id_value2> Issuer: SP:https://host1.example.com

FWSTrace.log

[02/28/2022][17:15:09][104892][140119244351232][14ad29ed-28341a21-bd152eb8-9e9d6f22-598bd4d4-604][SAMLTunnelClient.java][callSingleLogout][Tunnel result code: 1.]

[02/28/2022][17:15:09][104892][140119244351232][14ad29ed-28341a21-bd152eb8-9e9d6f22-598bd4d4-604][SLOService.java][handleLogout][

  TUNNEL STATUS:
     status  : 2
  
     message : Signature is invalid on an SLO message. Session ID:
     <Session_id_value2>= Issuer:
     SP:https://host1.example.com]

[02/28/2022][17:15:09][104892][140119244351232][14ad29ed-28341a21-bd152eb8-9e9d6f22-598bd4d4-604][SLOService.java][handleLogoutFailure][Signature is invalid on an SLO message. Session ID: <Session_id_value2> Issuer: SP:https://host1.example.com]

[02/28/2022][17:15:09][104892][140119244351232][14ad29ed-28341a21-bd152eb8-9e9d6f22-598bd4d4-604][SLOService.java][handleLogoutFailure][Redirecting to error handling URL [CHECKPOINT = SLOSAML2_ERRORURL_REDIRECT]]

smtracedefault.log :

[02/28/2022][18:15:08][140422026336000][14ad29ed-28341a21-bd152eb8-9e9d6f22-598bd4d4-604][CServer.cpp:6557][CServer::Tunnel][][][][][][][][][][][][Resolved all the input parameters][73096][18:15:08.973][][][][][][][][][][][][][][::ffff:10.0.0.1][][][][][][][][][][][][][][][][][][][][][][][Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService', Server='', Device=''][][][][][][][][][]

[02/28/2022][18:15:08][140422026336000][d0bd6b8b-7651d490-e7ad38fa-ed6f9665-98ca289a-2c][SingleLogoutTunnelServiceHandler.java][getClientSideInputs][][][][][][][][][][][][Received an SLO message.SamlSloRequestData [sessionId=<Session_id_value2>, [...] disambiguationId=null][73096][18:15:08.974][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/28/2022][18:15:08][140422026336000][d0bd6b8b-7651d490-e7ad38fa-ed6f9665-98ca289a-2c][SAMLSingleLogoutInfo.java][unmarshal][][][][][][][][][][][][decoded input:<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest Destination="https://host.example.org/affwebservices/public/saml2slo" ID="_6662b99312fea99781e3ee1e102fde16" IssueInstant="2022-02-28T17:15:35.763Z" NotOnOrAfter="2022-02-28T17:20:35.763Z" Reason="Single Logout" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://host1.example.com</saml2:Issuer><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="https://host1.example.com" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer_Name></saml2:NameID><saml2p:SessionIndex><Session_id_value2_index_value></saml2p:SessionIndex></saml2p:LogoutRequest>][73096][18:15:08.974][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/28/2022][18:15:08][140422026336000][d0bd6b8b-7651d490-e7ad38fa-ed6f9665-98ca289a-2c][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][Primary certificate to verify signature: alias: <certificate_alias>][73096][18:15:08.994][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/28/2022][18:15:09][140422026336000][d0bd6b8b-7651d490-e7ad38fa-ed6f9665-98ca289a-2c][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][Signature verification with primary certificate failed.][73096][18:15:09.030][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/28/2022][18:15:09][140422026336000][d0bd6b8b-7651d490-e7ad38fa-ed6f9665-98ca289a-2c][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][Checking for secondary certificate][73096][18:15:09.030][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/28/2022][18:15:09][140422026336000][d0bd6b8b-7651d490-e7ad38fa-ed6f9665-98ca289a-2c][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][Secondary certificate is not configured.][73096][18:15:09.030][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/28/2022][18:15:09][140422026336000][d0bd6b8b-7651d490-e7ad38fa-ed6f9665-98ca289a-2c][SAMLSingleLogoutInputMessage.java][verify][][][][][][][][][][][][Verify tunnel status: status=2&message=Signature is invalid on an SLO message. Session ID: <Session_id_value2> Issuer: SP:https://host1.example.com][73096][18:15:09.030][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

Check with the SP partner to make sure that the same certificate is used to sign the SLO SAMLRequest and the set to verify that signature in the Policy Store.

This site can be used to verify the signatures of XML documents (1).

(1)

    Validate SAML Logout Request