Expired Signing Certificate

book

Article ID: 74977

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We have several federation partnerships configured with the same IDP.  As of march 23rd, the certificate provided by them expired and probably since then the federation between them and us isn't working anymore.  Does siteminder validate that the Signature certificate is valid before doing anything?  We are getting these error in the FWSTrace log file:
[processFailedAuthentication][SAML Assertion based user authentication failed.] [Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Resolution

Siteminder will not allow a saml transaction to proceed if the signatures on signed documents such as an assertion cannot be verified unless Signature Processing is disabled. An expired signing certificate will cause signature verification to fail.  Please note that signature processing should only be disabled in non-production environments.