search cancel

Error : Error Signing Assertion and 403 Forbidden in SAML Applications

book

Article ID: 7886

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

When trying to access the SAML application URLs for an IDP initiated
transaction. The error displayed on the browser is a 403 Forbidden
error and the Policy Server reports :

  [31839/3992509296][Tue Jul 25 2017
  13:03:16][AssertionGenerator.java][ERROR][sm-FedServer-00130]
  postProcess() returns fatal error. <Response
  ID="_9068337c7b67a02d32f299d8358f112a23dc"
  IssueInstant="2017-07-25T13:03:16Z" Version="2.0"
  xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

  <ns1:Issuer
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">http://www.abc.com/wps/portal</ns1:Issuer>

   <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    <StatusMessage>Error Signing Assertion.</StatusMessage>
   </Status>
  </Response>

 

Environment

 

Policy Server 12.8.x on RedHat 6 64 bit;
Web Agent 12.52.x on RedHat 6 64 bit;
Web Agent Option Pack 12.52.x on RedHat 6 64 bit;

 

Cause

 

The keys that were used to sign the assertion were corrupted.

 

Resolution

 

Importing new functional private keys into CDS (Certificate Data
Store) resolved the issue (1).

 

Additional Information

 

(1)

    Import Trusted Certificates and Key Certificate Pairs
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/key-and-certificate-management/import-trusted-certificates-and-key-certificate-pairs.html