Access Manager IDP returns request denied on SAML2 Authentication request from SP

  • 7023557
  • 04-Dec-2018
  • 04-Dec-2018


  • Access Manager 4.4
  • Access Manager 4.4.3


  • IDP server returns a request denied after processing a SAML2 Authentication request:

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>


  • configured NIDP cluster logging options:
       Enable File Logging
       Echo To Console,
       Component File logger Levels:
          Application, Liberty, SAML2: debug

  • The following error message gets logged into the catalina.out:

    AM verify
    INFO: Verification successful for URI "#_95c318e1dd5dfeee1063ac4bdb952edb7568a4908b"
    Warning: Invalid resource key: Signature length not correct: got 256 but was expecting 512. No prefix!


3rd party SAML2 service provider required a fix to calculate the correct signature


The SAML Authentication request sends a signature with a length of 256 bytes where the used RSA key to sign the SHA message digest has a size of 4096bits (512 bytes).
The signature size has to be 512 bytes (same size as RSA key)

Signature from SAML request:
echo Y5WZo/fl97iKIkZnMfeNMOr8iEwptuoYArMMSAQ5H9oTENV1EUAjlm8L6E2XGtvKhVCN0wlGgwSYIADsd84APhTwWNiMRlcZlNdW0EOgzN0rz60Re+PfXIeK8+hzbwf70ZMjnOewcS9Rormk5EAY8AQTwFwBhpkxElYWZ4/v/gEy1euMkuAUXkHmaq7YWW7oSnxQZE4UvE7pGuvh1Uh9W9jtyC2IfkOq6XKhZCYmM2z40gWCXdcV2kT32cC+b71qylt9ZbzXZ3wM5inTkiy11VRDQhj0fuo3/+xmQT86zNtpTnRsRVATi4FwmtzJ0BcR5e+RduqIFW0inOySXTd9UQ== | openssl base64 -d | wc -c

Details from Certificate used in the SAML2 Authn Request:

   Subject: C=DE, ST=Nordrhein-Westfalen, L=Suiburg, O=Gast AG, OU=LAB, CN=kgast.nam.local
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (4096 bit)

Additional Information

Service Provider generates a wrong signature in the SAML authentication request
The Process is:
  • canonicalize XML document using the cn14 standard
  • build a message hash using sha1 (generates a fixed 160 digest)
  • Base64 Encode the digest in order to transport
  • use the RSA private key to sign (encrypt the digest)
  • Base64 encode signature in order to transport
Note: The signature has based on the RSA modulus calculation the exact same size as the used key
  • 4096bits => 512 bytes
  • 2048 => 256
  • 1024 => 128