Certificate issue in Inbound (SP) SAML 2.0 Federation
search cancel

Certificate issue in Inbound (SP) SAML 2.0 Federation


Article ID: 43715


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



The Policy Server R12.52-SP1 is unable to match the certificate that is currently working in SiteMinder 6 Federation in Production. SAML signature verification for an inbound SAML fails with the following errors printed in the poilcy server trace log on the SP side:


[Saml2Validator.java][verifyXML][Could not get certificate from trusted key database (IssuerName: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US Serial Number: xxxxxxx) ][1217b0f8-5fc2d9f0-a0da50d7-b3aa4beb-fab8e645-ecc4][][][][][][][][][][][][][][][][][][][]

[Saml2Validator.java][verifySignature][Exception while verifying signature:

com.netegrity.ps.auth.saml.SamlValidationException: Could not get the certificate from the trusted key database.

at com.netegrity.ps.auth.saml.Saml2Validator.verifyXML(Saml2Validator.java:3220)

at com.netegrity.ps.auth.saml.Saml2Validator.verifySignature(Saml2Validator.java:596)

at com.netegrity.ps.auth.saml.Saml2Validator.smAuthenticate(Saml2Validator.java:881)

at com.netegrity.ps.auth.saml.SamlValidator.smAuthenticate(SamlValidator.java:380)

[Saml2Validator.java][smAuthenticate][Plugin is configured? false][1217b0f8-5fc2d9f0-a0da50d7-b3aa4beb-fab8e645-ecc4][][][][][][][][][][][][][][][][][][][]

[Saml2Validator.java][smAuthenticate][SAML20: Response message rejected: Signature on response does not verify][1217b0f8-5fc2d9f0-a0da50d7-b3aa4beb-fab8e645-ecc4][][][][][][][][][][][][][][][][][][][]



This issue is specific to Legacy Federation and not with Partnership Federation.



SiteMinder 12.52-SP1



There is an inconsistency between the cmd tool (smkeytool), and the GUI tool (Admin UI) for the Issuer DN string. The Admin UI will add and remove escape characters to the Issuer DN string. 

2. Usually if the Issuer DN string is copied from Admin UI and pastes it into somewhere else, this action will cause trouble. 

3. If the Issuer DN string is copied from the smkeytool -listcerts output result, and pasted into somewhere else, this can often be a workaround. 


Engineering is working to resolve this issue.



1. Run in cmd for c:\temp>smkeytool -listcerts -alias cert1 

You will get 


Alias Name: cert1 

Type: CertificateEntry 

Subject: CN=xxxxxxxxxxxxxxxx,O=xxxxxxxxxxxxx\, Inc.,L=xxxx xxxxx,ST=xxxxxxxx,C=US 

Issuer: CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US 

Serial Number: xxxxxxxxx 

Valid from: Tue Mar 31 13:36:53 EDT 2015 until: Sat Mar 31 20:27:48 EDT 2018 

Revocation Status: Revocation is not configured. 



2. Copy the Issuer DN String to FSSUI to replace the original string and click save. 


3. Test again and search Search IDP's smtracedefault.log for "verifySignatureOnRequest". You should get 

[AuthnRequestProtocol.java][verifySignatureOnRequest][][][][][][][][Authnrequest signature is valid.] 


-OR - 


1. Disable the partnership which is using the certificate in the AdminUI.

2. Check the "Disable Signature Processing" checkbox. 

3. Save the partnership. 

4. Launch XPSExplorer, navigate to the CDS Certs section (option 3), select the appropriate certificate, and copy the Issuer DN exactly (you do not need the leading and trailing quotation marks ["]). 

5. Navigate to the Fed Certs (option 27), select the appropriate certificate, modify its IssuerDN, and paste the copied Issuer DN in. 

6. Save, and quit out. 

7. Modify the partnership, and uncheck the "Disable Signature Processing" box. 


8. Re-Enable the Partnership.


Additional Information:

Associated Defect: DE156901




Component: SMPLC