|Applies To||RSA Product Set: Federated Identity Manager|
RSA Product/Service Type: Federated Identity Management Module
RSA Version/Condition: 4.1 EOPS Reached
O/S Version: 2008 Server R2 x64
|Issue||RSA FIM shows the following error in the debug log file:|
2015-04-20 10:28:27,125, (DSigHelper.java:548), fim, , , , util.crypto.dsig.verify.error, com.rsa.fim.saml.InvalidCryptoException: SAMLSignedObject.verify() failed to validate signature value
|Cause||This error indicates that although the certificate that signed the assertion may be valid, the signature on the XML payload itself indicates a problem.|
The failure occurs during the "Reference validation" phase of the signature validation when FIM calculates the hash of the XML signed contents and compares the hash against the one signed by the partner.
The purpose of this check is specifically to ensure that the XML content has not been tampered with. The error means that this check failed.
If this error occurs unexpectedly it may be for the following reasons.
- The payload was corrupted in transfer. Sometimes this occurs when some aspect of the http infrastructure adds, transforms or deletes characters from the XML text in transport. For example, if a proxy module incorrectly modifies part of the XML as part of a regular expression rule, or if the XML content passed in a querystring is URL encoded or decoded when it should not be. This is quite rare, but it can occur.
- Incorrect application of XML transforms. This is the most common failure. It is where of the SAML vendors is incorrectly encoding the XML in a manner that changes the hash, or they are transforming part of the XML after the signature has been calculated.
- Incorrect application of character encoding. Sometimes there is an error in the way different extended characters are encoded and decoded and this may cause the digest to be calculated incorrectly. This is suspected if the reference validation errors only occur for assertions with specific characters in them.
|Resolution||This issue is a known problem with some third-party SAML application toolkits. The python django saml toolkit is known to calculate the XML signature hash incorrectly if older XML signature libraries are used. |
|Workaround||Here are some troubleshooting suggestions.|
- Possible ways to troubleshoot this is to change the SAML Binding from one method to another. For example, if you are using redirect binding that uses a querystring, and suspect the querystring may be damaged, the issue might not occur with POST binding that uses form data.
- The possibility of errors in XML transformation increases with the complexity of the XML. For testing, you should simplify the assertion as much as possible. Do not attempt to pass attribute values. Sign only the response, do not attempt to sign both the assertion in the response and the response itself. For testing ensure that the XML elements do not use any non-standard or extended character sets.