Symantec Access Management

Expand all | Collapse all

Tech Tip : Can not do an SP initiated transaction by using cert that contains non ASCII chars.

  • 1.  Tech Tip : Can not do an SP initiated transaction by using cert that contains non ASCII chars.

    Posted Sep 01, 2017 10:42 AM

    Issue

    When doing an SP initiated transaction with  the Authnrequest signed by a third party.

    It works fine if the third party cert is using a standard cert but it is failing using cert that contains non ASCI chars in the IssuerDN

    From the SP logs/traces generated : 

     

    FWSTrace: 

    [07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1] 

    [07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][redirectLoginFailure][AuthReason=50] 

    [07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][redirectLoginFailure][Redirect Mode="0" URL="null"] 

    [07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500] 

    [07/12/2016][09:38:22][4484][1176][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][AssertionConsumer.java][redirectLoginFailure][Transaction with ID: 156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7 failed. Reason: ACS_FAILED_PROCESS_FAILURE] 

     

    -- 

    smtraces (PS) 

    [2108][3112][07/12/2016][15:08:22][15:08:22.752][Getting Assertion by ID: _f571d44e26039fb37b2efb38c609a1e4fb1e][Saml2Validator.java][checkAssertion][][][][][][][][][][][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

    [2108][3112][07/12/2016][15:08:22][15:08:22.759][Could not get certificate from trusted key database (IssuerName: CN="Toto titi/emailAdress=toto@test.se", O=MyNetwork AB, L=Trollhättan, ST=Västra Götalands Län, C=SE Serial Number: a123456) ][Saml2Validator.java][verifyXML][][][][][][][][][][][156f0175-de2507da-4910b6ef-162b08cf-3b12ec13-f7][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

    [2108][3112][07/12/2016][15:08:22][15:08:22.760][Exception while verifying signature: 

    This issue can also occur when signing an assertion with certs containing non ASCII chars

    Environment

    IDP SiteMinder : 12.52.104.2032 on Windows 2008 R2
    Custom SP

    Resolution

    This issue is fixed in R12.52 SP1 CR06:

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr06#DefectsFixedin12.52SP1CR06-PolicyServer

     

    Encrypting the assertion throws an error on the IDP side when cert contains non-ASCI characters in the IssuerDN.

    00370648 - DE197591

    00449759 - DE187115

    00413584 - DE172081

    00380676 - DE163488

    00337693 - DE156901

    00328269 - DE144249

    00444984 - DE186346

     

    KD: TEC1478522



  • 2.  Re: Tech Tip : Can not do an SP initiated transaction by using cert that contains non ASCII chars.