AAA, NAC, Guest Access & BYOD

Why do we receive an error "HTTP Status 403 - Failed to verify Idp signature" in clearpass version 6.4.1, when Idp certificate is selected for SSO?

by on ‎04-08-2015 04:44 AM

Environment : This KB holds valid for clearpass version 6.4.1

 

When Idp certificate is selected for SSO, and while accessing the SP, we receive an error "HTTP Status 403 - Failed to verify Idp signature" in clearpass version 6.4.1.

 

rtaImage.png

 

Receive an error "Failed to verify Idp signature" when Idp certificate is selected to the SSO setting in clearpass.

 

The Idp admin should add the certificate in the <keyinfo> element in the assertion part of SAML response, issue would be fixed.

 

To troubleshoot the issue, we use a SAML tracer tool. The authentication request and response are sent via the browser using the POST or Redirect profile. HTTP header output on the browser can be used to view these SAML request/responses. 
A SAML plugin for Firefox exists which has the ability to dump the decoded SAML communication protocol in a separate header, making it faster to troubleshoot. The plugin is available from https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ and when installed, provides a ‘SAML Tracer’ option under tools as shown below:

 

rtaImage (1).png

Collect the SAML response from SAML tracer.
SAML response has two parts
1) SAML outer response.
2)Assertion.

Below is an example of a SAML response taken from SAML tracer:

 

rtaImage (2).png

 

Clearpass verifies if the signature has been included in assertion part of SAML response:
 

<samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="identifier_2"
    InResponseTo="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:22:05"
    Destination="https://sp.example.com/SAML2/SSO/POST">
    <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
    <samlp:Status>
      <samlp:StatusCode
        Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      ID="identifier_3"
      Version="2.0"
      IssueInstant="2004-12-05T09:22:05">
      <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
      <!-- a POSTed assertion MUST be signed -->
      <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
      <saml:Subject>
        <saml:NameID
          Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
          3f7b3dcf-1674-4ecd-92c8-1544f346baf8
        </saml:NameID>
        <saml:SubjectConfirmation
          Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
          <saml:SubjectConfirmationData
            InResponseTo="identifier_1"
            Recipient="https://sp.example.com/SAML2/SSO/POST"
            NotOnOrAfter="2004-12-05T09:27:05"/>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions
        NotBefore="2004-12-05T09:17:05"
        NotOnOrAfter="2004-12-05T09:27:05">
        <saml:AudienceRestriction>
          <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
        </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement
        AuthnInstant="2004-12-05T09:22:00"
        SessionIndex="identifier_3">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
         </saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
    </saml:Assertion>
  </samlp:Response>



If the Idp admin has the signature included in the outer response, the Idp admin should change and include the signature in the assertion part of SAML response.

If we receive the same error as below even after including the signature in the assertion part of SAML response:

 

rtaImage (3).png

 

Collect the CPPM logs with "Clearpass network services" service in debug and replicate the issue again.
Clearpass server logs can be collected by navigating to administration->server manager->server configuration. Click on "collect logs" to collect the server logs.
In the policy manager logs,navigate to tips-network-services->network-services.log.0.

In network-services.log.0, look for the post SAML response which would look like as shown below:

2014-11-06 21:57:47,796 [ajp-apr-8009-exec-8] [R:] DEBUG com.avenda.tips.webauthservice.reqhandlers.SamlSpReqHandler - [POST] HTTP Request uri=/networkservices/saml2/sp/acs
2014-11-06 21:57:47,801 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.opensaml.xml.signature.impl.SignatureUnmarshaller - Starting to unmarshall Apache XML-Security-based SignatureImpl element
2014-11-06 21:57:47,801 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.opensaml.xml.signature.impl.SignatureUnmarshaller - Constructing Apache XMLSignature object
2014-11-06 21:57:47,801 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("dsSmiley Frustratedignature", "")
2014-11-06 21:57:47,801 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("dsSmiley FrustratedignedInfo", "")
2014-11-06 21:57:47,802 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("dsSmiley FrustratedignatureMethod", "")
2014-11-06 21:57:47,802 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.opensaml.xml.signature.impl.SignatureUnmarshaller - Adding canonicalization and signing algorithms, and HMAC output length to Signature
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] WARN  com.avenda.tips.webauthservice.reqhandlers.SamlSpReqHandler - KeyInfo not present in signature
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] ERROR com.avenda.tips.webauthservice.reqhandlers.SamlSpReqHandler - Failed to verify signature, err: certs missing/invalid

2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG com.aruba.tips.statsdaccess.StatsClientAccess - Sending increment for stat=webauth.saml.sp.failure, value=1
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG com.aruba.tips.statsdaccess.StatsClientAccess - Sending increment for stat=webauth.saml.sp.count, value=1
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG com.aruba.tips.statsdaccess.StatsClientAccess - Sending StatsTimer for stat=webauth.saml.sp.time, value=7


On looking at the above logs, we see that "Keyinfo is not present in the signature". This means the Idp admin has to include the certificate in the signature in the <keyinfo> element in assertion. Once the Idp admin adds the certificate in the <keyinfo> element in the assertion part of SAML response, issue would be fixed.

Below is an example with the <keyinfo> element added in the assertion part of SAML response:

 

<saml:Assertion
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    ID="_33776a319493ad607b7ab3e689482e45"
    Version="2.0"
    IssueInstant="2006-07-17T20:31:41">
    <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
    <ds:Signature>...</ds:Signature>
    <saml:Subject>
      <saml:NameID
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
        CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US
      </saml:NameID>
      <saml:SubjectConfirmation
        Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
        <saml:SubjectConfirmationData>
          <ds:KeyInfo>
            <ds:X509Data>
              <!-- principal's X.509 cert -->
              <ds:X509Certificate>
  MIICiDCCAXACCQDE+9eiWrm62jANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJV
  UzESMBAGA1UEChMJTkNTQS1URVNUMQ0wCwYDVQQLEwRVc2VyMRMwEQYDVQQDEwpT
  UC1TZXJ2aWNlMB4XDTA2MDcxNzIwMjE0MVoXDTA2MDcxODIwMjE0MVowSzELMAkG
  A1UEBhMCVVMxEjAQBgNVBAoTCU5DU0EtVEVTVDENMAsGA1UECxMEVXNlcjEZMBcG
  A1UEAwwQdHJzY2F2b0B1aXVjLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
  gYEAv9QMe4lRl3XbWPcflbCjGK9gty6zBJmp+tsaJINM0VaBaZ3t+tSXknelYife
  nCc2O3yaX76aq53QMXy+5wKQYe8Rzdw28Nv3a73wfjXJXoUhGkvERcscs9EfIWcC
  g2bHOg8uSh+Fbv3lHih4lBJ5MCS2buJfsR7dlr/xsadU2RcCAwEAATANBgkqhkiG
  9w0BAQQFAAOCAQEAdyIcMTob7TVkelfJ7+I1j0LO24UlKvbLzd2OPvcFTCv6fVHx
  Ejk0QxaZXJhreZ6+rIdiMXrEzlRdJEsNMxtDW8++sVp6avoB5EX1y3ez+CEAIL4g
  cjvKZUR4dMryWshWIBHKFFul+r7urUgvWI12KbMeE9KP+kiiiiTskLcKgFzngw1J
  selmHhTcTCrcDocn5yO2+d3dog52vSOtVFDBsBuvDixO2hv679JR6Hlqjtk4GExp
  E9iVI0wdPE038uQIJJTXlhsMMLvUGVh/c0ReJBn92Vj4dI/yy6PtY/8ncYLYNkjg
  oVN0J/ymOktn9lTlFyTiuY4OuJsZRO1+zWLy9g==
              </ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </saml:SubjectConfirmationData>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <!-- assertion lifetime constrained by principal's X.509 cert -->
    <saml:Conditions
      NotBefore="2006-07-17T20:31:41"
      NotOnOrAfter="2006-07-18T20:21:41">
    </saml:Conditions>
    <saml:AuthnStatement
      AuthnInstant="2006-07-17T20:31:41">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
        </saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute
        xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
        x500:Encoding="LDAP"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="urn:oid:2.5.4.42"
        FriendlyName="givenName">
        <saml:AttributeValue
          xsi:type="xs:string">Tom</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute
        xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
        x500:Encoding="LDAP"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
        FriendlyName="mail">
        <saml:AttributeValue
          xsi:type="xs:string">trscavo@gmail.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.