FAILED_INVALID_RESPONSE_RETURNED in AuthnRequest in SPS
search cancel

FAILED_INVALID_RESPONSE_RETURNED in AuthnRequest in SPS

book

Article ID: 40987

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction


Running CA Access Gateway (SPS) in a Service Provider (SP) initiated flow where the SP is signing the authnrequest and the Identity Provider (IdP) has to verify the AuthNrequest signature.

When an SP initiated transaction is initiated, the SP sends the AuthNrequest to the IdP. In many cases, SP would sign the AuthNrequest and IdP has to verify the SP signature.

The signing is done for additional security.

The AuthnRequest is signed by the signing party's private key and the signature verification is done by using the signing party's public cert.

In certain cases, similar lines will be seen as below in the CA Access Gateway (SPS) FWStrace:

[04/04/2016][15:08:01][3620][3780][<transaction_ID>][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.] 
[04/04/2016][15:08:01][3620][3780][<transaction_ID>][SSO.java][processAssertionGeneration][Transaction with ID: <transaction_ID> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED] 
[04/04/2016][15:08:01][3620][3780][<transaction_ID>][SSO.java][processAssertionGeneration][Transaction with ID: <transaction_ID> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED] 
[04/04/2016][15:08:01][3620][3780][<transaction_ID>][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.] 
[04/04/2016][15:08:01][3620][3780][<transaction_ID>][ErrorRedirectionHandler.java][redirectToErrorPage][Redirecting to URL:https://_host.example.com/errorpages/servererror.html With Redirect mode as 'NO DATA'] 

From the Policy Server traces:

Right after "Validating AuthnRequest", the below message can be seen:

[04/04/2016][15:08:00.801][15:08:00][1948][2516][AuthnRequestProtocol.java][verifySignatureOnRequest][Missing configuration data of DSigVerInfoIssuerDN or DSigVerInfoSerialNumber][][][][][][][][][][][<transaction_ID>][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/04/2016][15:08:00.801][15:08:00][1948][2516][AssertionGenerator.java][invoke][AssertionHandler preProcess() failed. Leaving AssertionGenerator.][][][][][][][][][][][<transaction_ID>][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

 

Environment

 

  Policy server: 12.8.x
  Policy server OS: ANY

 

Cause


The SP is sending a signed authnrequest.

The IdP either does not have the certificate to verify the signature of the authNrequest or the certificate selected on IdP partnership has certIssuerDN and certserial value equal to null.

 

Resolution

 

  1. Open the IdP partnership configuration.

    Click the "Signature and encryption", there is an option there called "Verification Certificate Alias".
    Please check if any certificate is selected in "Verification Certificate Alias";

  2. When having selected a certificate, then check if that certificate is missing certissuerDN and certserial values.

    The "Missing configuration data of DSigVerInfoIssuerDN or DSigVerInfoSerialNumber" message is generated when the certificate is missing certissuerDN and certserial values.

 

Powered by Wolken Software