SAML Response Processing Failure - SAML Response Signature Verification Failure

From DocWiki

Jump to: navigation, search

SAML Response Processing Failure - SAML Response Signature Verification Failure

Problem Summary SAML Response Processing Failure - SAML Response Signature Verification Failure
Error Message

com.sun.identity.saml2.common.SAML2Exception: Invalid signature in Response.
at com.sun.identity.saml2.profile.SPACSUtils.getResponseFromPost(
at com.sun.identity.saml2.profile.SPACSUtils.getResponse(
at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(
at Check the below logs for more information:
2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] ERROR SAML Response processing failed with exception…

2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] DEBUG - Health event with id SAML_RESPONSE_FLOW_FAILURE has come from IdSSAMLAsyncServlet that can potentially change the state from STATE_IN_SERVICE
2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] changing the state as current state STATE_IN_SERVICE is different from new state PARTIAL_SERVICE as a result of SAML_RESPONSE_FLOW_FAILURE

Possible Cause

Only SAML assertion is signed but not the entire response message

Recommended Action
Update ADFS to use SHA-1 for signing and encryption

Update ADFS is to sign both Assertion & Message.
Use ADFS powershell command: Get-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier>, to verify that the field SamlResponseSignature is set to MessageAndAssertion

Fix is to run the ADFS powershell command: Set-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier> -SamlResponseSignature "MessageAndAssertion"

Upload the correct federation metadata(idp.xml) again.
Enable form authentication in ADFS setting
Please refer below articles

Under ADFS claim rules, attributes mapping for "user_principal" and "uid" are defined as in configuration guide.

After the ADFS configuration changes, run SSO test from IdSAdmin UI from both the nodes to ensure SSO is working as expected.

Release Release 11.5(1)
Associated CDETS # None

Rating: 0.0/5 (0 votes cast)

Personal tools