SiteMInder : Exception processing signature: Error in DSigVerifier - Unsupported Signing Algorithm
search cancel

SiteMInder : Exception processing signature: Error in DSigVerifier - Unsupported Signing Algorithm

book

Article ID: 5927

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

There was an issue observed with the Digital Signature processing during an SP-initiated (AuthN request) and SiteMinder is acting as IDP.

The SP Public cert has the signing algorithm as MD5RSA. This is an integration with Oracle Cloud(acting as SP). 

Siteminder is throwing below error while verifying the signature of authentication request.

AffWeb logs:

[8680/8240][Thu Feb 23 2017 08:31:57][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID: 84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a failed. Reason: FAILED_INVALID_RESPONSE_RETURNED (, , )

FWS trace:

[02/23/2017][08:31:57][8680][8240][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]

[02/23/2017][08:31:57][8680][8240][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][SSO.java][processAssertionGeneration][Transaction with ID: 84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

[02/23/2017][08:31:57][8680][8240][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

SMPS logs:

[2172/6208][Thu Feb 23 2017 08:31:56][AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_2e805f12343e568be67ab3ef93c663953cfd" InResponseTo="id-gVvQeec4Hj3FiiXL9aXMj8FArymCxHs1i2Ru2dGm" IssueInstant="2017-02-23T13:31:56Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">oracle_sp</ns1:Issuer>

<Status>

<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

<StatusMessage>Exception processing signature.</StatusMessage>

</Status>

</Response>

SM Profiler logs:

[02/23/2017][08:31:56][6208][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][AuthnRequestProtocol.java][verifySignatureOnRequest][][][][][][][][Exception processing signature: Error in DSigVerifier - Unsupported Signing Algorithm]

[02/23/2017][08:31:56][6208][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.]

Environment

Policy server: R12.52 SP1 CR02

Cause

MD5RSA is an Unsupported Signing Algorithm, Hence the errors are seen..

Resolution

Below are the supported signing algorithm by Siteminder.

RSAwithSHA1 

RSAwithSHA256 

Kindly use the supported signing algorithm to avoid the issues.

Additional Information

An IdP-->SP partnership in which the IdP signs assertions, responses and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm. 

An SP-->IdP partnership in which the SP signs authentication requests and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm. 

Signature verification automatically detects which algorithm is in use on a signed document then verifies it. No configuration for signature verification is required

Powered by Wolken Software