403 Forbidden error while Accessing SAML Applications

Document ID : KB000007886
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We are getting below errors while trying to access the SAML application URLs for an IDP initiated transaction. The error displayed on the browser is a 403 Forbidden error:

[31839/3992509296][Tue Jul 25 2017 13:03:16][AssertionGenerator.java][ERROR][sm-FedServer-00130] postProcess() returns fatal error. <Response ID="_9068337c7b67a02d32f299d8358f112a23dc" IssueInstant="2017-07-25T13:03:16Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">http://www.abc.com/wps/portal</ns1:Issuer>

<Status>

<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

<StatusMessage>Error Signing Assertion.</StatusMessage>

</Status>

 

</Response>

Environment:
Policy Server : 12.52.x on RedHat 6 64 bit Web Agent and Web Agent Option Pack : 12.52.x on RedHat 6 64 bit
Cause:

The keys that was used to sign the assertion were corrupted.

Resolution:

Importing new functional private keys into CDS (Certificate Data Store) resolved the issue.

Instructions can be found here :

 

Import Trusted Certificates and Key Certificate Pairs

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/key-and-certificate-management/import-trusted-certificates-and-key-certificate-pairs