403 Forbidden error while Accessing SAML Applications

book

Article ID: 7886

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We are getting below errors while trying to access the SAML
application URLs for an IDP initiated transaction. The error displayed
on the browser is a 403 Forbidden error:

  [31839/3992509296][Tue Jul 25 2017
  13:03:16][AssertionGenerator.java][ERROR][sm-FedServer-00130]
  postProcess() returns fatal error. <Response
  ID="_9068337c7b67a02d32f299d8358f112a23dc"
  IssueInstant="2017-07-25T13:03:16Z" Version="2.0"
  xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

  <ns1:Issuer
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">http://www.abc.com/wps/portal</ns1:Issuer>

   <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    <StatusMessage>Error Signing Assertion.</StatusMessage>
   </Status>
  </Response>

How can we solve this ?

 

Cause

 

The keys that was used to sign the assertion were corrupted.

 

Environment

 

Policy Server 12.52.x on RedHat 6 64 bit;
Web Agent 12.52.x on RedHat 6 64 bit;
Web Agent Option Pack 12.52.x on RedHat 6 64 bit;

 

Resolution

 

Importing new functional private keys into CDS (Certificate Data
Store) resolved the issue.

Instructions can be found here : 

  Import Trusted Certificates and Key Certificate Pairs
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/key-and-certificate-management/import-trusted-certificates-and-key-certificate-pairs.html