000034748 - RSA Identity Governance and Lifecycle error "Signature on SAML authn failed to verify" when processing SAML assertion from IDP

Document created by RSA Customer Support Employee on Feb 24, 2017Last modified by RSA Customer Support on Jan 18, 2018
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000034748
Applies ToRSA Product Set: Identity Governance and Lifecycle 
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0.0, 7.0.1
IssueWhen attempting to process the SAML authentication response RSA Identity Governance and Lifecycle generates the following exception in the /home/oracle/wildfly-8.2.0.Final/standalone/log/aveksaServer.log file:

01/16/2017 08:47:05.271 INFO  (default task-56) [com.aveksa.gui.pages.toolbar.login.SSOAuthenticatorHandler]
SSOAuthenticator: isAuthenticator failed. Reason: Signature on SAML authn failed to verify
01/16/2017 08:47:05.271 ERROR (default task-56) [com.aveksa.gui.pages.toolbar.login.SSOAuthenticatorHandler]
com.aveksa.server.authentication.AuthenticationProviderException: Signature on SAML authn failed to verify
Caused by: org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

CauseThis error indicates that RSA Identity Governance and Lifecycle is unable to validate the signature that was used to sign the assertion on the SAML response from the IDP.   The most likely cause is that certificate actually used to sign the assertion is not the certificate trusted in RSA Identity Governance and Lifecycle. 
Ensure that the correct certificate is references in the SAML configuration page for the authentication.  

  1. Under the Admin menu, select System
  2. On the Authentication tab, edit the Authentication Source.  
  3. In Authentication Source ensure that the end entity certificate used by the IDP to sign the SAML assertion is selected for the IDPCertificate file.  
User-added image
NotesNote that the certificate used for the signing is included in the payload that compromises the SAML assertion.  If there is any uncertainty about the actual certificate that is in use the correct certificate may be extracted directly from the assertion using the following technique.  The SAML response is URL encoded and Base64 encoded in the POST data.
  1. Use a tool of your choice to capture a copy of the SAML response.  Some tools that you may use are suggested below:
    1. Fiddler
    2. FireFox SAML Tracer Plug-in
    3. Google Chrome Developer Console
  2. URL decode the SAML response using a tool of your choice.
  3. Base64 Decode the SAML response.
  4. Identify the certificate in the XML content of the SAML response.  It is located between the XML tags <ds:X509Certificate> and </ds:X509Data>.
  5. Copy the text characters that compose the certificate into a text file and save the file to a location accesable to the your RSA Identity Governance and Lifecycle console session.
  6.  Rename the file with a .cer extension.
  7. Follow the instructions above to trust the certificate as the IDPCertificate in RSA Identity Governance and Lifecycle.
The .cer file may be opened in Windows to view the certificate information to validate that it is the expected certificate by double clicking on the file in Windows.
The .cer file may be opened in Unix to view the certificate information to validate that it is the expected certificate by using openssl

$ openssl x509 -in cert.cer -text