Siteminder Federation Transaction Failing with Signature Validation Error
search cancel

Siteminder Federation Transaction Failing with Signature Validation Error

book

Article ID: 434476

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Error during an Identity Provider (IDP) Initiated SAML Authentication.  The Service Provider receives a response and fails with the error "Signature on response does not verify" error.  When Signature Validation is disabled, the transaction completes successfully.

[MM/DD/YYYY][HH:mm:ss.ms][140221286971136][][][][][][][][][][][][][][lpArray[1]=SAML20: Response message rejected: Signature on response does not verify][][][][SmAuthenticate][][][]
[MM/DD/YYYY][HH:mm:ss.ms][140221286971136][<Realm>][][][50][][<AuthScheme>][][][][<UserDirectory>][][][<AgentName>][** Status: Authentication Attempt Failed. ][][][][CSm_Auth_Message::SendReply][][][]

 

Environment

PRODUCT: Siteminder

COMPONENT: Policy Server (Federation)

VERSION: Any

OPERATING SYSTEM: Any

 

Cause

Root Cause: The SAML signature verification failure is because the SP cannot decode the response from the IDP.  This can occur for a number of reasons.  

Resolution

  1. Verify with Non-Wildcard Certificate: Request the client to test the SSO connection using a server-specific (non-wildcard) certificate, as internal cases indicate this resolves the signature verification error Signature Validation Error.
  2. Check Signature Algorithm: Ensure the signing algorithm (e.g., SHA-256 vs SHA-1) used by the IdP matches what the Service Provider (SP) expects SAML Signature Failure.
  3. Validate Outside SiteMinder: Use an external tool like SAMLTool to verify the assertion signature manually. This helps determine if the issue lies with the SAML message itself or the SiteMinder processing Verifying SAML Signature.
  4. Inspect for Message Alteration: Check if any intermediate proxy or load balancer is modifying the XML (e.g., stripping whitespace), which breaks the digital signature SAML Signature Failure.
  5. Verify Certificate Chain: Ensure the full certificate chain (Root and Intermediate CAs) is present and trusted in the SiteMinder Certificate Data Store (CDS) Digital Signature Update.

Expected Outcome: The signature will be successfully verified, and the user will be authenticated without needing to disable signature validation.

Powered by Wolken Software