IDP SAML2 Metadata signature corrupt fater upgrading NIDP Server installed on Windows from NAM 4.2.2 to 4.3

  • 7018519
  • 24-Jan-2017
  • 25-Jan-2017

Environment

NetIQ Access Manager 4.3

Situation

  • NetIQ Access Manager 4.3 NIDP Server installed on Windows
  • NAM setup has been upgraded from version 4.2.2 to 4.3
  • NAM IDP server is acting as SAML2 IDP
  • ALL configured 3rd party SAML2 Service Provider report a metadata signature validation error after the upgrade
  • Metadata can not be re-imported into any SAMl2 Service Provider

    Example
    SAML20 SP (client 100 ):  Exception raised:
    SAML20 SAML20 CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.
    SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)
    SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
    SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2225)
    SAML20 Caused by: CX_SAML20_CORE: Error in ST program SAML2_ASSERTION when importing XML data. Long text: Error in ST program SAML2_ASSERTION when importing XML data. Diagnosis Signature verification failed (for signer) or Enve System Response Procedure Check the trace of the current work process dev_w<nr>. At level 2 you can find further information about the error. Procedure for System Administration
    SAML20     at CL_SAML20_ABSTRACT_MSG->VERIFY_SIGNATURE(Line 134)
    SAML20     at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 210)
    SAML20     at CL_SAML20_ASSERTION->CREATE_FROM_XML(Line 52)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 32)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)
    SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
    SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2225)
    SAML20 Caused by: CX_SEC_SXML_ERROR: SSFW_KRN_VERIFY failed with: Signature verification failed (for signer) or Envelope failed (for recipient)
    SAML20     at CL_SEC_SXML_DSIGNATURE->HANDLE_SSF_ERROR(Line 51)
  • Note: This problem does not come up for IDP servers installed on Linux

Resolution

  • The issue has been addressed to engineering
  • A FIX will be shipped with the release of NAM 4.3.1
  • For the time NAM 4.3.1 has not yet been released please get in contact with support

Cause

A library mismatch for running the XML Signature process will corrupt the metadata signature value

Additional Information

The metadata of a NAM IDP server should not change due to the fact just running an upgrade from any older version to the current version

Feedback service temporarily unavailable. For content questions or problems, please contact Support.