Identity Provider is getting the error, "Error Signing Assertion.", when trying to sign assertions.

Document ID : KB000024462
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Background:

Certificate seemed to import fine in the smkeydatabase.

Logs showed:

POLICY SERVER SMPS.LOG:

     <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"       
 xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">www.company.com</ns1:I  
 ssuer>                                                                          
     <Status>                                                                    
         <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>      
         <StatusMessage>Error Signing Assertion.</StatusMessage>                 
     </Status>                                                                   

POLICY SERVER PROFILER LOG:

[18:13:29][Signing the Assertion with ID: _2cdd8dc736b769999e944316a6345d789bac...][ProtocolBase.java][29488][2527005616][01/15/2009][18:13:29.611][SignOrEncryptAssertion][e199315c-da90d4be-9e005a50-2c3ab0b9-1aff0dcb-62]
[18:13:29][Can not sign Assertion with ID: _2cdd8dc736b769999e944316a6345d789bac Error: Error in DSigSigner - Initializtion failed][ProtocolBase.java][29488][2527005616][01/15/2009][18:13:29.611][SignOrEncryptAssertion][e199315c-da90d4be-9e005a50-2c3ab0b9-1aff0dcb-62]
[18:13:29][Failed to Sign Assertion.][AuthnRequestProtocol.java][29488][2527005616][01/15/2009][18:13:29.611][closeupProcess][e199315c-da90d4be-9e005a50-2c3ab0b9-1aff0dcb-62]

LOG:

January 16, 2009 8:10:43.843 PM[16602326:I] Created Tunnel Service instance for class: com.netegrity.saml2ps.tunnel.SAMLSPbyIDTunnelService
January 16, 2009 8:10:45.115 PM[26335425:I] Created Active Expression instance for class: com.netegrity.assertiongenerator.AssertionGenerator
[Error] cvc-elt.1: Cannot find the declaration of element 'RVARS'.
Caught XMLDocumentOpsException while instantiating XMLDocumentOps: Caught exception while instantiating SMKeyDatabase: Unable to get list of certificates. Exception Message: NativeDB.close: unable to close data4(a CodeBase method is called in an incorrect manner).
January 16, 2009 8:10:45.806 PM[26335425:Active Expression Context] Elapsed time to process invoke on class: com.netegrity.assertiongenerator.AssertionGenerator is: 691.0 milliseconds

TROUBLESHOOTING STEPS:

Import the pks12 cert into IE on windows to validate it and then re-export it from IE to insure it has a valid p12 format. Add it to the smkeydatbase using:

smkeytool -addPrivKey -alias -keycertfile <P12 key_cert_file>

Solution:

Initial Assertion signing issue is resolved:

Customer had an issue with permissions on files in their smkeydatabase directory and was not properly creating the smkeydatabase even though it was
not complaining upon import of the cert or listing the cert. After this was corrected the error in signing the assertion was resolved.