Expired Signing Certificate

Document ID : KB000074977
Last Modified Date : 28/03/2018
Show Technical Document Details
Question:
We have several federation partnerships configured with the same IDP.  As of march 23rd, the certificate provided by them expired and probably since then the federation between them and us isn't working anymore.  Does siteminder validate that the Signature certificate is valid before doing anything?  We are getting these error in the FWSTrace log file:
[processFailedAuthentication][SAML Assertion based user authentication failed.] [Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]

 
Answer:
Siteminder will not allow a saml transaction to proceed if the signatures on signed documents such as an assertion cannot be verified unless Signature Processing is disabled. An expired signing certificate will cause signature verification to fail.  Please note that signature processing should only be disabled in non-production environments.