Exception processing signature: Error in DSigVerifier - Unsupported Signing Algorithm

Document ID : KB000005927
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We are having an issue with the Digital Signature processing during an SP-initiated (AuthN request). Siteminder is acting as IDP.

The SP Public cert has the signing algorithm as MD5RSA. This is an integration with Oracle Cloud(acting as SP). 

Siteminder is throwing below error while verifying the signature of authentication request.

AffWeb logs:

[8680/8240][Thu Feb 23 2017 08:31:57][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID: 84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a failed. Reason: FAILED_INVALID_RESPONSE_RETURNED (, , )

FWS trace:

[02/23/2017][08:31:57][8680][8240][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]

[02/23/2017][08:31:57][8680][8240][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][SSO.java][processAssertionGeneration][Transaction with ID: 84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

[02/23/2017][08:31:57][8680][8240][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

SMPS logs:

[2172/6208][Thu Feb 23 2017 08:31:56][AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_2e805f12343e568be67ab3ef93c663953cfd" InResponseTo="id-gVvQeec4Hj3FiiXL9aXMj8FArymCxHs1i2Ru2dGm" IssueInstant="2017-02-23T13:31:56Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">oracle_sp</ns1:Issuer>

<Status>

<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

<StatusMessage>Exception processing signature.</StatusMessage>

</Status>

</Response>

SM Profiler logs:

[02/23/2017][08:31:56][6208][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][AuthnRequestProtocol.java][verifySignatureOnRequest][][][][][][][][Exception processing signature: Error in DSigVerifier - Unsupported Signing Algorithm]

[02/23/2017][08:31:56][6208][84f13757-80279a5b-beacb4ea-2792c770-25ecf6e8-a][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.]

Environment:
Policy server: R12.52 SP1 CR02
Cause:

MD5RSA is an Unsupported Signing Algorithm, Hence you are getting this error.

Resolution:

Below are the supported signing algorithm by Siteminder.

RSAwithSHA1 

RSAwithSHA256 

Kindly use the supported signing algorithm to avoid the issues.

Additional Information:

An IdP-->SP partnership in which the IdP signs assertions, responses and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm. 

An SP-->IdP partnership in which the SP signs authentication requests and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm. 

Signature verification automatically detects which algorithm is in use on a signed document then verifies it. No configuration for signature verification is required