Layer7 Access Management

Expand all | Collapse all

Error signing assertion (SAML 2.0)

  • 1.  Error signing assertion (SAML 2.0)

    Posted 08-27-2015 04:18 AM

    Hi There,

     

    We are having Federation partnership (Siteminder r12.0 SP3 with SPS as federation gateway) set up with a Service Provider. Initial flow during SP-initiated SAML authentication is happening correctly with IdP able to generate Assertion. However while trying to sign the assertion, Siteminder (IdP) is throwing below error in trace logs.

     

    **************************************************

     

    [08/27/2015][14:57:48][4560][32ccf3d4-06a1bb8c-4d75a099-019f9b5e-894a2deb-3e][AssertionGenerator.java][invoke][][][][][][][][No Plugin callout is configured.]

    [08/27/2015][14:57:48][4560][32ccf3d4-06a1bb8c-4d75a099-019f9b5e-894a2deb-3e][AssertionHandlerSAML20.java][postProcess][][][][][][][][Start to wrap-up the SAML2.0 response.]

    [08/27/2015][14:57:48][4560][32ccf3d4-06a1bb8c-4d75a099-019f9b5e-894a2deb-3e][AuthnRequestProtocol.java][closeupProcess][][][][][][][][POST signing option: 2]

    [08/27/2015][14:57:48][4560][32ccf3d4-06a1bb8c-4d75a099-019f9b5e-894a2deb-3e][ProtocolBase.java][SignOrEncryptAssertion][][][][][][][][Signing the Assertion with ID: _a8242057650ada73a23eefc18c03ec6b7900 ...]

    [08/27/2015][14:57:48][4560][32ccf3d4-06a1bb8c-4d75a099-019f9b5e-894a2deb-3e][ProtocolBase.java][SignOrEncryptAssertion][][][][][][][][Can not sign Assertion with ID: _a8242057650ada73a23eefc18c03ec6b7900  Error: Error in DSigSigner - Initializtion failed]

    [08/27/2015][14:57:48][4560][32ccf3d4-06a1bb8c-4d75a099-019f9b5e-894a2deb-3e][AuthnRequestProtocol.java][closeupProcess][][][][][][][][Failed to Sign Assertion.]

    [08/27/2015][14:57:48][4560][32ccf3d4-06a1bb8c-4d75a099-019f9b5e-894a2deb-3e][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler postProcess() failed. Leaving AssertionGenerator.]

    [08/27/2015][14:57:48][4560][][SmJavaAPI.cpp:1229][JavaActiveExpression][][][][][][][][Active Expression evaluated for SmJavaAPI: JavaActiveExpression successfully invoked.  Parameter and result follow

     

    ****************************************************

     

    The same configurations are working fine in lower environment. However, when we took the configurations to higher environment, the same is breaking with above error is siteminder trace logs.

     

    We tried checking the smkeydatabase and we are able to list certs, import, export etc.

     

    Just wondering if anybody has face similar issue?

     

    Regards,

    Sanjay



  • 2.  Re: Error signing assertion (SAML 2.0)

    Posted 08-27-2015 09:15 PM

    Hi Sanjay,

     

    From the above snippet of logs, it seems like the certificate used to sign the assertion failed to load. Please assign a different certificate and see if that work.

     

    Best regards,

    Kelly



  • 3.  Re: Error signing assertion (SAML 2.0)

    Posted 08-27-2015 10:43 PM

    Thanks kelly,

     

    We had similar suspicion. We actually tried using the dev certificate which worked in dev environment however faced same error.



  • 4.  Re: Error signing assertion (SAML 2.0)

    Posted 08-28-2015 01:58 PM

    sanjay sanjay.bhatt2

     

    What alias is being used in the affiliate domain object for sign the assertion.

     

    • Could you check if you have defined 'defaultenterpriseprivatekey' alias for a key/pair; even though you need not necessarily use 'defaultenterpriseprivatekey' alias. Also ensure 'defaultenterpriseprivatekey' alias has a non-expired key/pair.

     

    • Could you check, you've patched PS + WAOP, JDK with unlimited crypto JCE patches.

     

     

    Another option would be to backup your existing smkeydatabase folder. Then recreate a new smkeydatabase and reimport the certs / key-pairs.

     

     

    Regards

     

    Hubert



  • 5.  Re: Error signing assertion (SAML 2.0)

    Posted 08-31-2015 09:42 AM

    Thanks Hubert for your reply..we do have defaultprivatekey in smkeydatabase. Not sure about the jce patch but reckon that should have same impact on both the environments. However as I mentioned same thing is working in dev environment. I agree with the smkeydatabase recreate option as the last resort. Have actually reopened support ticket, will keep posted on the progress. Thanks once again.