Federation: Users are unable to access AWS application by error
search cancel

Federation: Users are unable to access AWS application by error

book

Article ID: 264012

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

We have a SAML integrated AWS application. Users are not able to access it and they are receiving the below error message.

Response (with optional signature) must contain an assertion with a mandatory signature (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException; Request ID: ...; Proxy: null) (Service: AWSSecurityToken...; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: ...; Proxy: null). Please try again.

 

Environment

Release : All

Cause

In the Policy Server trace log (IDP side), a signing error was found due to the certificate expiration. This was causing the issue.

Error message excerpted:

. . . [ProtocolBase.java][SignOrEncryptAssertion][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Failed to Sign Assertion. Message : Error in DSigSigner - Signing failed. encrypt: Encryption certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: certificate expired on 20230212235959GMT+00:00
. Exception com.netegrity.SAML2Security.DSigException: Error in DSigSigner - Signing failed. encrypt: Encryption certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: certificate expired on 20230212235959GMT+00:00
. . . . .

Resolution

Please update the IDP certificate for the partnership.

Additional Information

To enable signing assertion, visit the Partnership of IDP side and uncheck the "Disable Signature Processing" in the step 5 “Signature and Encryption Dialog”.

Powered by Wolken Software