000030208 - intermittant FIM "error failed to validate signature value"

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030208
Applies ToRSA Product Set: FIM
RSA Product/Service Type: Federated Identity Management Module
RSA Version/Condition: 4.2
Platform: UNIX
Platform (Other): null
O/S Version: Solaris 10
Product Name: null
Product Description: null
IssueRSA FIM logs the following error intermittently:
2015-04-23 16:22:30,274, server1, (DSigHelper.java:547), Fim, , , , Signature Verification failed SAMLSignedObject.verify() failed to validate signature value

This error message means that signature on the the SAML message could not be validated using the certificate in the JKS truststore.  If this issue occurs for all requests the certificate in the JKS truststore may not be the same one the partner is using for signing.   If this error occurs intermittently it may mean that the SAML payload was corrupted or that there is some problem with the digest calculation of the XML. 
The way the XML transforms are applied or the way the document is encoded and decoded may affect the digest that is derived from hashing the data that is signed. 
For example if the SAML assertion contains attributes with UTF-8 encoded data, the hashing may produce different digests if the data is encoded incorrectly.
This is a known issue with PING Federate 5.1 or earlier when the digest calculation is done in unix and the attributes contain extended characters in UTF-8 format. 
For example the following attribute with french characters causes a digest calculation that is incorrect. 
        <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Frédérique</saml:AttributeValue>

ResolutionThis is resolved in PING Federate 5.2 or later.