Issue/Problem/Symptoms: 

Getting the below Exception in the Federation trace while validating a signed SamlResponse on the SP side.

The IDP public cert is imported properly and selected in the Partnership to validate the signature.

[AuthnRequestProtocol.java][verifySignatureOnRequest][10418a9a-5d4cd175-6e50e7ba-647ff9c4-19dffee2-5ea7][][][][][][][][][][][][][][][][][][][][Certificate not found for issuer DN: CN=*******, O="****.", C=**** serial number: *********************] 

[SAML20: Assertion rejected (_4798d3be29005c2aa200a22ff4cbca1f9ede): DSigException caught while verifying assertion: Error in DSigVerifier: cert not found or sig not verified - Caught an Exception either finding certificate in DB or verifying using IXMLSignature implementor - Certificate from Database does not match the Certificate in message.][][][] 

Environment:  

Policy server version 12.52 SP1 CR04 

Cause: 

There could be multiple reasons causing the "Certificate not found for issuer DN" to appear as follows :

1) The Issuer DN of the certificate included in the samlResponse does not match the Issuer DN of the certificate used to validate the signature

2) There is a Defect "DE156901" opened against 12.52 SP1 CRx Policy server where it was found that importing the certificate into the CDS database is creating the Issuer DN properly ,however when the policy server creates / sync the certificate to the FED objects ,the Issuer DN is not getting created properly due to Escaped characters in the Issuer DN of the certificate.

Resolution/Workaround:

NOTE --> The Issuer DN under the CDS and FED objects must match *exactly*. This includes double spaces, escape characters, differences in single or double quotation marks, etc. 

To Solve the issue described in Cause 2 above ,please follow the below Steps :

1. Disable the partnership in question

2. Check the "Disable Signature Processing" checkbox. 

3. Save the partnership. 

4. Launch XPSExplorer, navigate to the CDS Certs section (should be option 3), select the appropriate certificate, and copy the Issuer DN exactly (you do not need the leading and trailing quotation marks ["]). 

5. Navigate to the Fed Certs (should be option 27), select the appropriate certificate, modify its IssuerDN, and paste the copied IssuerDN from the CDS Object. 

6. Save, and quit out. 

7. Modify the partnership, and uncheck the "Disable Signature Processing" box. 

8. Re-Enable the Partnership.

Additional Information:

DE156901 Filed for the issue listed above