Signature cryptographic validation not successful error for all RSA SecurID Access integrated Windows Authentication (IWA) attempts

4 years ago

Originally Published: 2020-04-27

Article Number

000044934

Applies To

RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router

Issue

End users are unable to log in to their Application Portal or perform SSO login to applications with IWA. When the users try to log in using their usernames and passwords they succeed, thus it is not an issue with the portal itself.

The User Event Monitor shows the following messages:

User ID: unknown
Description: Portal logon failed - Authentication failed.
Authentication Details: {"additionalText":"{MESSAGE=Idp login failed. There was trouble processing the idp request., USERID=unknown, USERNAME=unknown, NOT_AUTHNED_REASON=Unable to authenticate with the credentials you provided. Please try again., RESULT=NOT_AUTHENTICATED}"}

The following error is seen in the IDR logs:

ERROR com.symplified.platform.webservice.WebServiceApiSecurityUtils[268] - No Authorization header Present
.
.
.
Caused by: org.opensaml.xmlsec.signature.support.SignatureException: Signature cryptographic validation not successful

Cause

There is a mismatch between the certificate the IWA server and what is uploaded for the IWA connection in the Cloud Administration Console.

Resolution

The customer must generate a new .pem and a corresponding .pfx and upload them. Alternatively, the steps that are shown in article 000035019 - Signature cryptographic validation not successful error for all RSA SecurID Access integrated Windows Authentication (IWA) attempts can be used to generate the new key pair from the Cloud Administration Console.

Don't see what you're looking for?

Related Articles

Trending Articles