Signed SP Initiated Request: Signature verification failing at 3rd party IDP

Document ID : KB000044490
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue: 

CA Federation is acting as SP and 3rd party vendor product as SP. SP is successfully sending a signed AuthNReuest to 3rd party IDP, and IDP is returning an error response: 

 

[AUTHNREQUEST BEING SENT] 

[05/24/2016][18:42:34][3332][3504][125588e0-487b7bcb-1fbd2ec3-33b4c64b-5ff252f7-1522][AuthnRequest.java][processRequest][AuthnRequest: SAMLRequest=fZBPa…………………cx31ctHbRfJJgHU5g5WgPHwE1018lnvtQaT9iEHKW6Tk5Kn%2F5gopnjR8qVYHP%2BL4cwouT4FgER9ODzTP%2F1GIJpA%3D%3D] 

 

 

[ERROR RESPONSE FROM IDP] 

[05/24/2016][18:42:34][3332][3504][1f646105-88e3dad2-e7d88387-b89275a1-c610cfd6-3ca][AssertionConsumer.java][processSAMLResponse][SAMLResponse: <?xml version="1.0" encoding="UTF-8"?> 

<saml2p:Response ID="gfbgjhghgjhg878767896ibooagaeajjghbedgie" InResponseTo="_22b55ac3011085ee9fea857e2483f59b3ef2" IssueInstant="2016-05-24T18:40:43.040Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">MYIDP</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/><saml2p:StatusMessage>Can not verify digital signature</saml2p:StatusMessage></saml2p:Status></saml2p:Response>] 

 

 

Environment:  

Any  and all the versions of CA Federation acting as SAML2.0  Service Provider.

 

Cause: 

This 3rd party IDP was custom code based. IDP was verifying the signature based on the just the content of the SAMLRequest.  We double checked and confirmed that for the signature verification for the SP initiated request, the signature includes the SAMLRequest, RelayState and SigAlg and not just the SAMLRequest parameter value.

 

 

Resolution:

3rd Party IDP made the code adjustment such that they will do the signature verification for the authnrequest by keeping in mind that signed authnrequest content includes SAMLRequest, RelayState and SigAlg.

 

  

Additional Information:

 Not Applicable