AuthnRequest sign verification issue

book

Article ID: 40987

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We run an SP initiated flow where the SP is signing the authnrequest
and IDP has to verify the AuthNrequest signature.

When an SP initiated transaction is initiated, the SP sends the
AuthNrequest to the IDP. In many cases, SP would sign the AuthNrequest
and IDP has to verify the SP signature. The signing is done for
additional security. The AuthnRequest is signed by signing party's
private key and the signature verification is done by using signing
party's public cert.

In certain cases we would see similar lines as below in the FWStrace:

  [04/04/2016][15:08:01][3620][3780][a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b][SSO.java]
  [processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.] 

  [04/04/2016][15:08:01][3620][3780][a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b][SSO.java]
  [processAssertionGeneration][Transaction with ID: a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b failed.
  Reason: FAILED_INVALID_RESPONSE_RETURNED] 

  [04/04/2016][15:08:01][3620][3780][a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b][SSO.java]
  [processAssertionGeneration][Transaction with ID: a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b failed.
  Reason: FAILED_INVALID_RESPONSE_RETURNED] 

  [04/04/2016][15:08:01][3620][3780][a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b][SSO.java]
  [processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.] 

  [04/04/2016][15:08:01][3620][3780][a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b]
  [ErrorRedirectionHandler.java][redirectToErrorPage][Redirecting to URL:https://xyz.com/errorpages/servererror.html
  With Redirect mode as 'NO DATA'] 

From the smtrace: 

Right after "Validating AuthnRequest" you would see the below message
in the smtrace:

  [04/04/2016][15:08:00.801][15:08:00][1948][2516][AuthnRequestProtocol.java][verifySignatureOnRequest]
  [Missing configuration data of DSigVerInfoIssuerDN or DSigVerInfoSerialNumber][][][][][][][][][][]
  [a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][] 

  [04/04/2016][15:08:00.801][15:08:00][1948][2516][AssertionGenerator.java][invoke]
  [AssertionHandler preProcess() failed. Leaving AssertionGenerator.][][][][][][][][][][]
  [a93fcb53-e2c9c0d0-69cbbd42-4a956255-16dde2af-6b][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][] 

How can we fix this ?

 

Cause

 

SP is sending a signed authnrequest. The IDP either does not have the
certificate to verify the signature of the authNrequest or the
certificate selected on IDP partnership has certIssuerDN and
certserial value equal to null.

 

Environment

 

  Policy server: 12.52 sp1 cr2 (Any supported version)
  Policy server OS: Redhat, Windows, Solaris (Any supported version)

 

Resolution

 

1. Open your IDP partnership configuration. Click the "Signature and
   encryption", there is an option there called "Verification
   Certificate Alias". Please check if you have selected any
   certificate in "Verification Certificate Alias".

2. If you have selected a certificate then check if that certificate
   is missing certissuerDN and certserial values. The "Missing
   configuration data of DSigVerInfoIssuerDN or DSigVerInfoSerialNumber"
   message is generated when the certificate is missing certissuerDN and
   certserial values.