000013969 - Exception 'The policy requires the message be signed  but received an unsigned message' in RSA Federated Identity Manager

Document created by RSA Customer Support Employee on Mar 16, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013969
Applies ToRSA Product Set: Federated Identity Manager
RSA Product/Service Type: Federated Identity Manager Module
RSA Version/Condition: 4.1
SAML redirect binding - deflated querystring messages
IssueSollving the exception "The policy requires the message be signed, but received an unsigned message"

On an SP initiated request with redirect binding  the following exception was thrown:


2013-06-07 11:53:45,208, (SAML20SSOService.java:1244), tcpaldm045, , , , Unable to process the AuthnRequest message, com.rsa.fim.exception.ProfileException: The policy requires the message be signed, but received an unsigned message 
at com.rsa.fim.profile.util.ProfileHelper.verifySignature(ProfileHelper.java:1722)
at com.rsa.fim.profile.sso.SAML20SSOService.processAuthnRequest(SAML20SSOService.java:467)


The signing (signature elements) was done inside the request of the deflated querystring and placed in the SamlRequest. This is correct when using a Form Post binding, but is not correct for Redirect binding.


<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0" ID="id-1228562145" IssueInstant="2013-06-07T20:56:36.043Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://dev.example.com</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#id-1228562145">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>1svvj0RGOmtvolyvTlDyqc2Z6mg=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>aV3gzDk8JomHeKfU5vjr4vkD2bDfxHSb8V7x3yQcQhmO9f94eAdGAQ2lSDWkV/HzOubgzAfgbrGN 8b95dOFR0MJLoV1fIX+wNW7oEdD/v7zuUOKE4V3rPuBa0C6ZIHqmf+Non7/0eCQNcjTwfBANxKvi Y+Bc4KMjNffnw5bbjYA=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDATCCAmqgAwIBAgIJALcFSpfJFvX9MA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzEL MAkGA1UECAwCTUkxGzAZBgNVBAoMEldvcmtGb3JjZSBTb2Z0d2FyZTEnMCUGA1UEAwwedG95b3Rh ZGV2Lndvcmtmb3JjZWhvc3RpbmcuY29tMTAwLnMtc3VwcG9ydEB3b3Jr Zm9yY2Vzb2Z0d2FyZS5jb20wHhcNMTMwNjA3MDM1OTA5WhcNMTMwNzA3MDM1OTA5WjCBkjELMAkG A1UEBhMCVVMxCzAJBgNVBAgMAk1JMRswGQYDVQQKDBJXb3JrRm9yY2UgU29mdHdhcmUxJzAlBgNV BAMMHnRveW90YWRldi53b3JrZm9yY2Vob3N0aW5nLmNvbTEwMC4GCSqGSIb3DQEJARYhd2ZzLXN1 cHBvcnRAd29ya2ZvcmNlc29mdHdhcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2 leD8c2WYfga4a6jXVAD9tSuj9kMJDEC9sAZb3uy9F9lBCT3IRoANPyp/aJYdIG9oP G8oOAW2fpeUFLR/BaMCdCqJe6ArMiZYmpSPVYsKszy4SJzX8gOtvR6hyIo/sGWpqzc1cVnMaK+4h Rx7jsf8ObRo6jqAJiwIDAQABo10wWzAdBgNVHQ4EFgQUIjyjgJKsNYupQjilnfv4ssx41WcwHwYD VR0jBBgwFoAUIjyjgJKsNYupQjilnfv4ssx41WcwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAuQw DQYJKoZIhvcNAQEFBQADgYEAxqEwq4H/oAFPLw84HfbpcCFTM6BycLJKPaX60ZK4YmdziEVgzQHT tCGw00a5Eu5a/jCvYTSmXPcxn07G0mi/QPga+NpNHZx1sXvYP5w+y7cD8el6x54nmtm1VGPE7bRP XooVDsFaa9qxwpdX4h8gTUMM7UNDdz/HNgGZI7dYEzA=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</saml2p:AuthnRequest>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0" ID="id-1228562145" IssueInstant="2013-06-07T20:56:36.043Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://dev.example.com</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#id-1228562145">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>1svvj0RGOmtvolyvTlDyqc2Z6mg=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>aV3gzDk8JomHeKfU5vjr4vkD2bDfxHSb8V7x3yQcQhmO9f94eAdGAQ2lSDWkV/HzOubgzAfgbrGN 8b95dOFR0MJLoV1fIX+wNW7oEdD/v7zuUOKE4V3rPuBa0C6ZIHqmf+Non7/0eCQNcjTwfBANxKvi Y+Bc4KMjNffnw5bbjYA=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDATCCAmqgAwIBAgIJALcFSpfJFvX9MA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzEL MAkGA1UECAwCTUkxGzAZBgNVBAoMEldvcmtGb3JjZSBTb2Z0d2FyZTEnMCUGA1UEAwwedG95b3Rh ZGV2Lndvcmtmb3JjZWhvc3RpbmcuY29tMTAwLgYJKoZIhvcNAQkBFiF3ZnMtc3VwcG9ydEB3b3Jr Zm9yY2Vzb2Z0d2FyZS5jb20wHhcNMTMwNjA3MDM1OTA5WhcNMTMwNzA3MDM1OTA5WjCBkjELMAkG A1UEBhMCVVMxCzAJBgNVBAgMAk1JMRswGQYDVQQKDBJXb3JrRm9yY2UgU29mdHdhcmUxJzAlBgNV BAMMHnRveW90YWRldi53b3JrZm9yY2Vob3N0aW5nLmNvbTEwMC4GCSqGSIb3DQEJARYhd2ZzLXN1 cHBvcnRAd29ya2ZvcmNlc29Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2 leD8c2WYfga4a6jXVAD9tSxgspwLWKV8+uj9kMJDEC9sAZb3uy9F9lBCT3IRoANPyp/aJYdIG9oP G8oOAW2fpeUFLR/BaMCdCqJe6ArMiZYmpSPVYsKszy4SJzX8gOtvR6hyIo/sGWpqzc1cVnMaK+4h Rx7jsf8ObRo6jqAJiwIDAQABo10wWzAdBgNVHQ4EFgQUIjyjgJKsNYupQjilnfv4ssx41WcwHwYD VR0jBBgwFoAUIjyjgJKsNw84HfbpcCFTM6BycLJKPaX60ZK4YmdziEVgzQHT tCGw00a5Eu5a/jCvYTSmXPcxn07G0mi/QPga+NpNHZx1sXvYP5w+y7cD8el6x54nmtm1VGPE7bRP XooVDsFaa9qxwpdX4h8gTUMM7UNDdz/HNgGZI7dYEzA=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</saml2p:AuthnRequest>

 

Resolution

The signature element (Signature) and algorithm used (SigAlg) must be separate querystring value pairs outside the samlRequest querystring.


HTTP-Redirect binding:
SAML Request-


<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceIndex="0"
Destination="http://fim-dist-biz.fim.com:7001/sso/SSO"
ID="b6aad4e34e13f45856d60cd8a5a48134"
IssueInstant="2013-07-25T21:42:20Z"
Version="2.0"
>
<saml:Issuer>http://SPSigned</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>


Parameters:-


GET
SAMLRequest: fVLLbsIwEPyVyPeQJw9ZBCkCVULqAxHUQ2/GXoqlxE69m0L79XUoVEhFnCzvznpmZzxF0dQtLzvamzV8dIAUHJvaIO8bBeuc4VagRm5EA8hJ8qp8euTpIOYCERxpa9jVSHt/pnWWrLQ1C8rL9Nwa7BpwFbhPLWFpFBwLFrNg4cVoI3pMwfZELY+inW5CpZHCrf4e+MtA2oaP4ziJEG1UVS8sWC4Kth0JoXLIckiyXT6cDEdqFEs1EUORT5Is9yjEznMhCUMFS+MkC+NxmA43acLzlKfxGwteweGJ3Ctns2m/Hj/NudlZTrWq9LsBNY2um9NfU5/99svFytZafgVlXdvD3IEgKBi5DljwYF0j6L5ffUWrcHeC8rYXhASGvJzoP8uF+ZwkqFOu3mCCIwVz27TCaew3gqOQdNnpGjWvfaxr2M3uJi+57HG+vPLHwTq18sGC9JQbJwy21tHZk5uPX8TfFPrXvf6Vsx8=
RelayState: a7c45c6ba1ac7eead6265806a77ce9ee
SigAlg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Signature: EcxYw4A3+csg6KWsaLgd47myVy2wx45ivHrcK+0VDVvZO1kLP8StYZZ4VRKhTmHr5L3sEHdbVMRLB/RBgEclDr3NO0CaarYtzcEcviW2mcrl8UIAfbYli6jxlHlRqlqSO25kh9/U1w+tnTG65qwfx7MuF

Notes

 


When using an HTTP Redirect binding, the signature is NOT part of the SAML message, it is included as a separate URL parameter called ?Signature?.  It should be pretty clear in the Redirect section of the SAML Bindings spec.  It states that when first using the DEFLATE encoding process, ?Any signature on the SAML protocol message, including the <ds:Signature>  XML element itself, MUST be removed.?  After removing the signature, the remaining XML is compressed and then Base64 encoded. That string is then URL-encoded and assigned to the URL parameter ?SAMLRequest? or ?SAMLResponse?, depending on what type of message is being sent.  For signing, the SAMLRequst/SAMLResponse is appended with the RelayState parameter and the signature algorithm parameter before running the concatenated string thru the signing algorithm.  The resulting value is then appended to the URL as a parameter called ?Signature?.

Legacy Article IDa62124

Attachments

    Outcomes