Environment : This KB holds valid for clearpass version 6.4.1
When Idp certificate is selected for SSO, and while accessing the SP, we receive an error "HTTP Status 403 - Failed to verify Idp signature" in clearpass version 6.4.1.
Receive an error "Failed to verify Idp signature" when Idp certificate is selected to the SSO setting in clearpass.
The Idp admin should add the certificate in the <keyinfo> element in the assertion part of SAML response, issue would be fixed.
To troubleshoot the issue, we use a SAML tracer tool. The authentication request and response are sent via the browser using the POST or Redirect profile. HTTP header output on the browser can be used to view these SAML request/responses.
A SAML plugin for Firefox exists which has the ability to dump the decoded SAML communication protocol in a separate header, making it faster to troubleshoot. The plugin is available from https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ and when installed, provides a ‘SAML Tracer’ option under tools as shown below:
Collect the SAML response from SAML tracer.
SAML response has two parts
1) SAML outer response.
2)Assertion.
Below is an example of a SAML response taken from SAML tracer:
Clearpass verifies if the signature has been included in assertion part of SAML response:
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_2"
InResponseTo="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:22:05"
Destination="https://sp.example.com/SAML2/SSO/POST">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_3"
Version="2.0"
IssueInstant="2004-12-05T09:22:05">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<!-- a POSTed assertion MUST be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="identifier_1"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00"
SessionIndex="identifier_3">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
If the Idp admin has the signature included in the outer response, the Idp admin should change and include the signature in the assertion part of SAML response.
If we receive the same error as below even after including the signature in the assertion part of SAML response:
Collect the CPPM logs with "Clearpass network services" service in debug and replicate the issue again.
Clearpass server logs can be collected by navigating to administration->server manager->server configuration. Click on "collect logs" to collect the server logs.
In the policy manager logs,navigate to tips-network-services->network-services.log.0.
In network-services.log.0, look for the post SAML response which would look like as shown below:
2014-11-06 21:57:47,796 [ajp-apr-8009-exec-8] [R:] DEBUG com.avenda.tips.webauthservice.reqhandlers.SamlSpReqHandler - [POST] HTTP Request uri=/networkservices/saml2/sp/acs
2014-11-06 21:57:47,801 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.opensaml.xml.signature.impl.SignatureUnmarshaller - Starting to unmarshall Apache XML-Security-based SignatureImpl element
2014-11-06 21:57:47,801 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.opensaml.xml.signature.impl.SignatureUnmarshaller - Constructing Apache XMLSignature object
2014-11-06 21:57:47,801 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Signature", "")
2014-11-06 21:57:47,801 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignedInfo", "")
2014-11-06 21:57:47,802 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignatureMethod", "")
2014-11-06 21:57:47,802 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG org.opensaml.xml.signature.impl.SignatureUnmarshaller - Adding canonicalization and signing algorithms, and HMAC output length to Signature
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] WARN com.avenda.tips.webauthservice.reqhandlers.SamlSpReqHandler - KeyInfo not present in signature
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] ERROR com.avenda.tips.webauthservice.reqhandlers.SamlSpReqHandler - Failed to verify signature, err: certs missing/invalid
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG com.aruba.tips.statsdaccess.StatsClientAccess - Sending increment for stat=webauth.saml.sp.failure, value=1
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG com.aruba.tips.statsdaccess.StatsClientAccess - Sending increment for stat=webauth.saml.sp.count, value=1
2014-11-06 21:57:47,803 [ajp-apr-8009-exec-8] [R:W00000077-01-545beedb] DEBUG com.aruba.tips.statsdaccess.StatsClientAccess - Sending StatsTimer for stat=webauth.saml.sp.time, value=7
On looking at the above logs, we see that "Keyinfo is not present in the signature". This means the Idp admin has to include the certificate in the signature in the <keyinfo> element in assertion. Once the Idp admin adds the certificate in the <keyinfo> element in the assertion part of SAML response, issue would be fixed.
Below is an example with the <keyinfo> element added in the assertion part of SAML response:
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
ID="_33776a319493ad607b7ab3e689482e45"
Version="2.0"
IssueInstant="2006-07-17T20:31:41">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature>...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:X509Data>
<!-- principal's X.509 cert -->
<ds:X509Certificate>
MIICiDCCAXACCQDE+9eiWrm62jANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJV
UzESMBAGA1UEChMJTkNTQS1URVNUMQ0wCwYDVQQLEwRVc2VyMRMwEQYDVQQDEwpT
UC1TZXJ2aWNlMB4XDTA2MDcxNzIwMjE0MVoXDTA2MDcxODIwMjE0MVowSzELMAkG
A1UEBhMCVVMxEjAQBgNVBAoTCU5DU0EtVEVTVDENMAsGA1UECxMEVXNlcjEZMBcG
A1UEAwwQdHJzY2F2b0B1aXVjLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAv9QMe4lRl3XbWPcflbCjGK9gty6zBJmp+tsaJINM0VaBaZ3t+tSXknelYife
nCc2O3yaX76aq53QMXy+5wKQYe8Rzdw28Nv3a73wfjXJXoUhGkvERcscs9EfIWcC
g2bHOg8uSh+Fbv3lHih4lBJ5MCS2buJfsR7dlr/xsadU2RcCAwEAATANBgkqhkiG
9w0BAQQFAAOCAQEAdyIcMTob7TVkelfJ7+I1j0LO24UlKvbLzd2OPvcFTCv6fVHx
Ejk0QxaZXJhreZ6+rIdiMXrEzlRdJEsNMxtDW8++sVp6avoB5EX1y3ez+CEAIL4g
cjvKZUR4dMryWshWIBHKFFul+r7urUgvWI12KbMeE9KP+kiiiiTskLcKgFzngw1J
selmHhTcTCrcDocn5yO2+d3dog52vSOtVFDBsBuvDixO2hv679JR6Hlqjtk4GExp
E9iVI0wdPE038uQIJJTXlhsMMLvUGVh/c0ReJBn92Vj4dI/yy6PtY/8ncYLYNkjg
oVN0J/ymOktn9lTlFyTiuY4OuJsZRO1+zWLy9g==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<!-- assertion lifetime constrained by principal's X.509 cert -->
<saml:Conditions
NotBefore="2006-07-17T20:31:41"
NotOnOrAfter="2006-07-18T20:21:41">
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2006-07-17T20:31:41">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:2.5.4.42"
FriendlyName="givenName">
<saml:AttributeValue
xsi:type="xs:string">Tom</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
FriendlyName="mail">
<saml:AttributeValue
xsi:type="xs:string">trscavo@gmail.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>