IDP SAML2 Metadata signature corrupt fater upgrading NIDP Server installed on Windows from NAM 4.2.2 to 4.3

  • Document ID:7018519
  • Creation Date:24-Jan-2017
  • Modified Date:25-Jan-2017
    • Micro Focus Products:
      Access Manager (NAM)

Environment

NetIQ Access Manager 4.3

Situation

  • NetIQ Access Manager 4.3 NIDP Server installed on Windows
  • NAM setup has been upgraded from version 4.2.2 to 4.3
  • NAM IDP server is acting as SAML2 IDP
  • ALL configured 3rd party SAML2 Service Provider report a metadata signature validation error after the upgrade
  • Metadata can not be re-imported into any SAMl2 Service Provider

    Example
    SAML20 SP (client 100 ):  Exception raised:
    SAML20  SAML20 CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed. 
    SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)
    SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
    SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2225)
    SAML20  Caused by: CX_SAML20_CORE: Error in ST program SAML2_ASSERTION when importing XML data. Long text: Error in ST program SAML2_ASSERTION when importing XML data. Diagnosis Signature verification failed (for signer) or Enve System Response Procedure Check the trace of the current work process dev_w<nr>. At level 2 you can find further information about the error. Procedure for System Administration
    SAML20     at CL_SAML20_ABSTRACT_MSG->VERIFY_SIGNATURE(Line 134)
    SAML20     at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 210)
    SAML20     at CL_SAML20_ASSERTION->CREATE_FROM_XML(Line 52)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 32)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)
    SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
    SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2225)
    SAML20  Caused by: CX_SEC_SXML_ERROR: SSFW_KRN_VERIFY failed with: Signature verification failed (for signer) or Envelope failed (for recipient)
    SAML20     at CL_SEC_SXML_DSIGNATURE->HANDLE_SSF_ERROR(Line 51)
  • Note: This problem does not come up for IDP servers installed on Linux

Resolution

  • The issue has been addressed to engineering
  • A FIX will be shipped with the release of NAM 4.3.1
  • For the time NAM 4.3.1 has not yet been released please get in contact with support

Cause

A library mismatch for running the XML Signature process will corrupt the metadata signature value

Additional Information

The metadata of a NAM IDP server should not change due to the fact just running an upgrade from any older version to the current version