Symantec SiteMinder

  • Private Community
 View Only

Tech Tip - CA Single Sign-On: SLO failed with error "Issuer is not found; unable to verify signature"

By wonsa03 posted Sep 13, 2016 01:50 AM

  

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 13th September 2016

 

Issue: 

IdP-initiated Single Logout (SLO) is failing with following errors:

 

== AffWebserv.log ==

[12237/127507312][Thu Sep 08 2016 23:22:20][SLOService.java][ERROR][sm-FedClient-02180] "Error occurred during single logout.  Message:  Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81

 

== FWSTrace.log ==

[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogout][
TUNNEL STATUS:
   status  : 21
   message : Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogout][Output from Tunnel call:status=0&providerID=http://idp.com:81&isPOST=false&isSOAPEnabled=false;relayState=]
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogoutFailure][Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]

 

== PS trace ==

[09/08/2016][23:22:20.292][12673][4023925616][SingleLogoutTunnelServiceHandler.java][tunnelHandler][1235dbac-56b8da1a-dcb1a6b3-05a0f3a7-cd62cb45-6eb][Returning from SLO tunnel. Status: status=21&message=Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]
[09/08/2016][23:22:20.292][12673][4023925616][SingleLogoutTunnelServiceHandler.java][tunnelHandler][1235dbac-56b8da1a-dcb1a6b3-05a0f3a7-cd62cb45-6eb][Returning from SLO tunnel. Response: status=0&providerID=http://idp.com:81&isPOST=false&isSOAPEnabled=false;relayState=null]

 

Environment:

Policy Server: R12.52 SP1 CR5

Webagent & WAOP: R12.52 SP1 CR5

 

Cause:

Tunnel status = 21 is indicative of unknown issuer.

 

SLO Service location URL specifies the URL of the single logout service at the remote partner where the single logout request is sent.

 

Hence, in this use case, customer (as IdP) should have the following as SLO Service URL:

http://<sp_host:port>/affwebservices/public/saml2slo

 

Instead, customer specified IdP host in the SLO Service URL, causing the unknown issuer error.

 

Resolution:

To resolve the error, update the SLO Service URL accordingly in the IdP->SP partnership >> 4. SSO and SLO >> SLO settings.

0 comments
4 views