Environment
NetIQ Access Manager 4.3
Situation
- NetIQ Access Manager 4.3 NIDP Server installed on Windows
- NAM setup has been upgraded from version 4.2.2 to 4.3
- NAM IDP server is acting as SAML2 IDP
- ALL configured 3rd party SAML2 Service Provider report a metadata signature validation error after the upgrade
- Metadata can not be re-imported into any SAMl2 Service Provider
ExampleSAML20 SP (client 100 ): Exception raised:
SAML20 SAML20 CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.
SAML20 at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)
SAML20 at CL_SAML20_RESPONSE->VALIDATE(Line 60)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2225)
SAML20 Caused by: CX_SAML20_CORE: Error in ST program SAML2_ASSERTION when importing XML data. Long text: Error in ST program SAML2_ASSERTION when importing XML data. Diagnosis Signature verification failed (for signer) or Enve System Response Procedure Check the trace of the current work process dev_w<nr>. At level 2 you can find further information about the error. Procedure for System Administration
SAML20 at CL_SAML20_ABSTRACT_MSG->VERIFY_SIGNATURE(Line 134)
SAML20 at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 210)
SAML20 at CL_SAML20_ASSERTION->CREATE_FROM_XML(Line 52)
SAML20 at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 32)
SAML20 at CL_SAML20_RESPONSE->VALIDATE(Line 60)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2225)
SAML20 Caused by: CX_SEC_SXML_ERROR: SSFW_KRN_VERIFY failed with: Signature verification failed (for signer) or Envelope failed (for recipient)
SAML20 at CL_SEC_SXML_DSIGNATURE->HANDLE_SSF_ERROR(Line 51) - Note: This problem does not come up for IDP servers installed on Linux
Resolution
- The issue has been addressed to engineering
- A FIX will be shipped with the release of NAM 4.3.1
- For the time NAM 4.3.1 has not yet been released please get in contact with support
Cause
A library mismatch for running the XML Signature process will corrupt the metadata signature value
Additional Information
The metadata of a NAM IDP server should not change due to the fact just running an upgrade from any older version to the current version