Access Manager IDP returns request denied on SAML2 Authentication request from SP

  • Document ID:7023557
  • Creation Date:04-Dec-2018
  • Modified Date:04-Dec-2018
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • Access Manager 4.4
  • Access Manager 4.4.3

Situation

  • IDP server returns a request denied after processing a SAML2 Authentication request:

    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
    </samlp:StatusCode></samlp:Status>

  • configured NIDP cluster logging options:
       Enable File Logging
       Echo To Console,
       Component File logger Levels:
          Application, Liberty, SAML2: debug

  • The following error message gets logged into the catalina.out:

    AM org.apache.xml.security.signature.Reference verify
    INFO: Verification successful for URI "#_95c318e1dd5dfeee1063ac4bdb952edb7568a4908b"
    Warning: Invalid resource key: Signature length not correct: got 256 but was expecting 512. No prefix!


Resolution

3rd party SAML2 service provider required a fix to calculate the correct signature

Cause

The SAML Authentication request sends a signature with a length of 256 bytes where the used RSA key to sign the SHA message digest has a size of 4096bits (512 bytes).
The signature size has to be 512 bytes (same size as RSA key)

Signature from SAML request:
echo Y5WZo/fl97iKIkZnMfeNMOr8iEwptuoYArMMSAQ5H9oTENV1EUAjlm8L6E2XGtvKhVCN0wlGgwSYIADsd84APhTwWNiMRlcZlNdW0EOgzN0rz60Re+PfXIeK8+hzbwf70ZMjnOewcS9Rormk5EAY8AQTwFwBhpkxElYWZ4/v/gEy1euMkuAUXkHmaq7YWW7oSnxQZE4UvE7pGuvh1Uh9W9jtyC2IfkOq6XKhZCYmM2z40gWCXdcV2kT32cC+b71qylt9ZbzXZ3wM5inTkiy11VRDQhj0fuo3/+xmQT86zNtpTnRsRVATi4FwmtzJ0BcR5e+RduqIFW0inOySXTd9UQ== | openssl base64 -d | wc -c
256

Details from Certificate used in the SAML2 Authn Request:

   Subject: C=DE, ST=Nordrhein-Westfalen, L=Suiburg, O=Gast AG, OU=LAB, CN=kgast.nam.local
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (4096 bit)

Additional Information

Service Provider generates a wrong signature in the SAML authentication request
 
The Process is:
  • canonicalize XML document using the cn14 standard
  • build a message hash using sha1 (generates a fixed 160 digest)
  • Base64 Encode the digest in order to transport
  • use the RSA private key to sign (encrypt the digest)
  • Base64 encode signature in order to transport
 
Note: The signature has based on the RSA modulus calculation the exact same size as the used key
  • 4096bits => 512 bytes
  • 2048 => 256
  • 1024 => 128