search cancel

Expired Signing Certificate


Article ID: 74977


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We have several federation partnerships configured with the same IDP.  As of march 23rd, the certificate provided by them expired and probably since then the federation between them and us isn't working anymore.  Does siteminder validate that the Signature certificate is valid before doing anything?  We are getting these error in the FWSTrace log file:
[processFailedAuthentication][SAML Assertion based user authentication failed.] [Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]



Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus


Siteminder will not allow a saml transaction to proceed if the signatures on signed documents such as an assertion cannot be verified unless Signature Processing is disabled. An expired signing certificate will cause signature verification to fail.  Please note that signature processing should only be disabled in non-production environments.