Symantec Access Management

  • Private Community
 View Only

  • 1.  SAML signing certificate Expire - HTTP DEBUG TOOLS

    Posted Oct 12, 2019 05:52 AM
    Edited by goutham reddy Anireddy Oct 12, 2019 05:51 AM
      |   view attached
    Hi All,

    Could any one let know, if it's possible to identify/check SAML signing certificate expire details from any HTTP DEBUG tools like (fiddler).

    1. In my case, my certificate is expired at IDP end and getting 500 error at browser level.
    2. For reference attached fiddler trace.
      • smps.log
        • [10/12/2019][17:26:33][][Failed to Sign Assertion. Unmatched braces in the pattern.][][][][][][][][][1944][140298973857536][][]
    Just want to know without checking logs, is it possible to know the expire details of  SAML certificate from browser itself.




    ------------------------------
    Regards,
    Gowtham.
    ------------------------------

    Attachment(s)

    zip
    idp-certificate expire casestudy.zip   110 KB 1 version


  • 2.  RE: SAML signing certificate Expire - HTTP DEBUG TOOLS
    Best Answer

    Broadcom Employee
    Posted Oct 14, 2019 02:17 AM
    Hi Goutham,

    Usually, signed assertion will bring the certificate with it. So said,
    with Fiddler tool, you can get the assertion. Many times it will be the
    value of the SAMLResponse. Note that the value of the SAMLRequest can
    also bring a certificate if you have configured the request to be
    signed. If you can decode the assertion, then you'll get access to the
    certificate which you can make it human readable to see the expiration
    date. So the Policy Server will check that the one it has in its
    Certificate Data Store is the same as the one present in the
    assertion.

    There are many tools to decode the assertion. If the assertion is in
    the SAMLResponse, then you need first to URL Decode it :

    https://meyerweb.com/eric/tools/dencoder/

    Then, you'll need to base64 decode the assertion to get the value and
    the certificate. One fo these tools is this one :

    https://www.samltool.com/decode.php

    Finally, with OpenSSL, you can decode the certificate you'll find in
    it :

    openssl x509 -in cert.crt -text -noout

    But in your idp-certificate expire casestudy.saz, no assertion is
    visible. So you need to set the full tracing on the Policy Server
    profiler in order to see which certificate is in use (alias) for that
    transaction, and then check the content of it using AdminUI for
    example.

    I hope this helps,

    Best Regards,
    Patrick
    Original Message


  • 3.  RE: SAML signing certificate Expire - HTTP DEBUG TOOLS

    Broadcom Employee
    Posted Oct 14, 2019 07:00 PM
    When signing the assertion fails, then there would be no assertion sent out, that is the reason there is no assertion found in the fiddler.
    Your error suggests "Unmatched braces in the pattern." which could be caused by a custom assertion generator??? because this shouldn't happen with OOTB configuration.
    I am not sure if this can be caused by () in the SPID as I have not seen or tried this before.

    If this is not custom assertion generator issue or if the () in the SPID is not causing the error, I would suggest to open support ticket to pursue.

    And to answer your question, you should only be able to verify whether the certificate expired or not when you obtain the certificate itself.
    Easiest way to check is just save the BASE64 certificate information in the assertion to a separate file and give it crt or cer extension.
    Double click on it on Windows platform and you will get the certificate window which you can view the details.



    ------------------------------
    Support Engineer 5
    Broadcom
    ------------------------------

    Original Message


  • 4.  RE: SAML signing certificate Expire - HTTP DEBUG TOOLS

    Posted Oct 17, 2019 08:23 AM
    Hi Patrick/Kim,

    Thank you very for your replies.
    For my question on seeing certificate information it is clear now

    1. So in general, assertion should be returned even when certificate is expired and we can check the certificate information from assertion.
    2. In my case, seems assertion generation is failing when certificate is expired.  
      • I am not using any custom assertion generator. just using OOTB (apache RP <----> tomcat (webservices) <------>siteminder)
      • As mentioned by KIM, may be the issues is with () in the SPID. 
    I will test without () in SPID with a expired certificate and will post my findings.


    ------------------------------
    Regards,
    Gowtham.
    ------------------------------

    Original Message


  • 5.  RE: SAML signing certificate Expire - HTTP DEBUG TOOLS

    Posted Oct 17, 2019 10:29 AM
    possibly you can request for an enhancement on Negative Assertion feature which currently only returns a response when Authentication fails at IdP end.
    Original Message


  • 6.  RE: SAML signing certificate Expire - HTTP DEBUG TOOLS

    Posted Oct 19, 2019 10:34 AM
    Hi All,

    Seems the issue is not with () in the SPID.
    Tested with out (), still same error. OOTB (version 12.8 SP3) when SSL is expired assertion is not getting generated.
    May be will be fixed in upcoming versions.

    ------------------------------
    Regards,
    Gowtham.
    ------------------------------

    Original Message


  • 7.  RE: SAML signing certificate Expire - HTTP DEBUG TOOLS

    Broadcom Employee
    Posted Oct 21, 2019 10:48 PM
    I am pretty positive you got me wrong :)

    It should not matter which version you are using.
    As long as the signing certificate has expired, you do not get the assertion out to SP. You SHOULD NOT get assertion out because your certificate expired and no one should trust your signature now.

    "So in general, assertion should be returned even when certificate is expired and we can check the certificate information from assertion."

    This is where you got me wrong.
    Step1: The assertion would be generated regardless of whether your certificate is expired or not.
    Step2: When trying to sign the assertion, it is found the signing certificate has expired thus unable to sign.
    Step3: As the signed version of assertion is not generated, signed assertion does not get sent to the SP.

    If you tested without the () characters, that is nice. So SiteMinder allows those characters then.
    But that could be a different problem if it worked prior to signing certificate getting expired.

    Going back to your original question: "Could any one let know, if it's possible to identify/check SAML signing certificate expire details from any HTTP DEBUG tools like (fiddler)."

    The answer is a NO because the assertion did not get passed on to the federation web services because signed version of assertion was not generated.

    The error you shared, "Unmatched braces in the pattern.", I have not encountered that before so I do not know why you would only get it when the signing certificate expired.

    @Kaladhar Brahmanapally    ​ mentioned about Negative Assertion. It is something you can consider. Instead of ending with an HTTP 500 you can actually send an assertion telling the other entity that SAML Token was not generated. It sends an assertion but not for the SSO but to inform the error status.



    ------------------------------
    Support Engineer 5
    Broadcom
    ------------------------------

    Original Message