search cancel

DSigException caught while verifying assertion: Error in DSigVerifier: cert not found or sig not verified

book

Article ID: 42542

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue/Problem/Symptoms: 

Getting the below Exception in the Federation trace while validating a signed SamlResponse on the SP side.

The IDP public cert is imported properly and selected in the Partnership to validate the signature.

[AuthnRequestProtocol.java][verifySignatureOnRequest][10418a9a-5d4cd175-6e50e7ba-647ff9c4-19dffee2-5ea7][][][][][][][][][][][][][][][][][][][][Certificate not found for issuer DN: CN=*******, O="****.", C=**** serial number: *********************] 

[SAML20: Assertion rejected (_4798d3be29005c2aa200a22ff4cbca1f9ede): DSigException caught while verifying assertion: Error in DSigVerifier: cert not found or sig not verified - Caught an Exception either finding certificate in DB or verifying using IXMLSignature implementor - Certificate from Database does not match the Certificate in message.][][][] 

 

Environment:  

Policy server version 12.52 SP1 CR04 

 

Cause: 

There could be multiple reasons causing the "Certificate not found for issuer DN" to appear as follows :

1) The Issuer DN of the certificate included in the samlResponse does not match the Issuer DN of the certificate used to validate the signature

2) There is a Defect "DE156901" opened against 12.52 SP1 CRx Policy server where it was found that importing the certificate into the CDS database is creating the Issuer DN properly ,however when the policy server creates / sync the certificate to the FED objects ,the Issuer DN is not getting created properly due to Escaped characters in the Issuer DN of the certificate.

 

Resolution/Workaround:

NOTE --> The Issuer DN under the CDS and FED objects must match *exactly*. This includes double spaces, escape characters, differences in single or double quotation marks, etc. 

 

To Solve the issue described in Cause 2 above ,please follow the below Steps :

1. Disable the partnership in question

2. Check the "Disable Signature Processing" checkbox. 

3. Save the partnership. 

4. Launch XPSExplorer, navigate to the CDS Certs section (should be option 3), select the appropriate certificate, and copy the Issuer DN exactly (you do not need the leading and trailing quotation marks ["]). 

5. Navigate to the Fed Certs (should be option 27), select the appropriate certificate, modify its IssuerDN, and paste the copied IssuerDN from the CDS Object. 

6. Save, and quit out. 

7. Modify the partnership, and uncheck the "Disable Signature Processing" box. 

8. Re-Enable the Partnership.

 

Additional Information:

DE156901 Filed for the issue listed above

 

Environment

Release:
Component: SMFED