Why is there "Signature did not verify" and "SAML2Response=NO" with AuthnRequest when "Required Signed Authentication Requests: No" is set
search cancel

Why is there "Signature did not verify" and "SAML2Response=NO" with AuthnRequest when "Required Signed Authentication Requests: No" is set

book

Article ID: 265963

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

In the SAML2 federation partnership as IDP, "Required Signed Authentication Requests: No" is set.

But when SAMLRequest is received, SiteMinder reports Signature verification failed and Policy Server does not generate SAMLResponse.

[01/01/2023][01:23:45][01:23:45.678][][][][][][1234][5678][11111111-22222222-33333333-44444444-55555555-6666][][][][][][][][][][][AssertionHandlerSAML20.java][preProcess][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Start to validate the SAML2.0 Authn request.][][][][][][][][][]
[01/01/2023][01:23:45][01:23:45.678][][][][][][1234][5678][11111111-22222222-33333333-44444444-55555555-6666][][][][][][][][][][][AuthnRequestProtocol.java][validateRequest][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Validating the Request...All the properties:
[01/01/2023][01:23:45][01:23:45.678][][][][][][1234][5678][11111111-22222222-33333333-44444444-55555555-6666][][][][][][][][][][][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Primary certificate to verify signature: alias: "<cert_alias>"][][][][][][][][][]
[01/01/2023][01:23:45][01:23:45.679][][][][][][1234][5678][11111111-22222222-33333333-44444444-55555555-6666][][][][][][][][][][][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Signature verification with primary certificate failed with message: Caught an Exception while verifying revocation status of the certificateMultiple certificates exist for issuer CN=<user> and serial number 000000012.][][][][][][][][][]
[01/01/2023][01:23:45][01:23:45.679][][][][][][1234][5678][11111111-22222222-33333333-44444444-55555555-6666][][][][][][][][][][][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Checking for secondary certificate][][][][][][][][][]
[01/01/2023][01:23:45][01:23:45.679][][][][][][1234][5678][11111111-22222222-33333333-44444444-55555555-6666][][][][][][][][][][][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Secondary certificate is not configured.][][][][][][][][][]
[01/01/2023][01:23:45][01:23:45.679][][][][][][1234][5678][11111111-22222222-33333333-44444444-55555555-6666][][][][][][][][][][][AuthnRequestProtocol.java][verifySignatureOnRequest][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Signature did not verify.][][][][][][][][][]
[01/01/2023][01:23:45][01:23:45.679][][][][][][1234][5678][11111111-22222222-33333333-44444444-55555555-6666][][][][][][][][][][][AssertionGenerator.java][invoke][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.][][][][][][][][][] 

Environment

Release : 12.8.06

Cause

 "Required Signed Authentication Requests: No" simply means the SAMLRequest does not need to be signed and will be honoured.

Despite this setting, if a Signed request is received, then Policy Server will be forced to perform the signature verification and this can fail if the correct certificate is not specified (or no certificate is specified).

 

Resolution

There can be 2 ways the issue can be resolved.

1. Configure the SP to not sign the request. 

OR


2. Configure the IDP to update the configuration with correct SP certificate to successfully verify the signature.

 

Powered by Wolken Software