Can not do an SP initiated transaction by using cert that contains non ASCII chars.

Document ID : KB000007957
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When doing an SP initiated transaction with  the Authnrequest signed by a third party.

It works fine if the third party cert is using a standard cert but it is failing using cert that contains non ASCI chars in the IssuerDN

From the SP logs/traces generated : 

 

FWSTrace: 

[07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1] 

[07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][redirectLoginFailure][AuthReason=50] 

[07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][redirectLoginFailure][Redirect Mode="0" URL="null"] 

[07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500] 

[07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][redirectLoginFailure][Transaction with ID: 156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7 failed. Reason: ACS_FAILED_PROCESS_FAILURE] 

 

-- 

smtraces (PS) 

[2108][3112][07/12/2016][15:08:22][15:08:22.752][Getting Assertion by ID: _f571d44e26039fb37b2efb38c609a1e4fb1e][Saml2Validator.java][checkAssertion][][][][][][][][][][][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

[2108][3112][07/12/2016][15:08:22][15:08:22.759][Could not get certificate from trusted key database (IssuerName: CN="Toto titi/emailAdress=toto@test.se", O=MyNetwork AB, L=Trollhättan, ST=Västra Götalands Län, C=SE Serial Number: a123456) ][Saml2Validator.java][verifyXML][][][][][][][][][][][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

[2108][3112][07/12/2016][15:08:22][15:08:22.760][Exception while verifying signature: 

This issue can also occur when signing an assertion with certs containing non ASCII chars

Environment:
IDP SiteMinder : 12.52.104.2032 on Windows 2008 R2 Custom SP
Resolution:

This issue is fixed in R12.52 SP1 CR06:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr06#DefectsFixedin12.52SP1CR06-PolicyServer

 

Encrypting the assertion throws an error on the IDP side when cert contains non-ASCI characters in the IssuerDN.

00370648 - DE197591

00449759 - DE187115

00413584 - DE172081

00380676 - DE163488

00337693 - DE156901

00328269 - DE144249

00444984 - DE186346