"Invalid signature" error in "Multi provider single sign-on"

Subhrajit2
Giga Contributor

‎07-26-2017 09:09 AM

Hi All,

We have enabled and configured Multi provider single sign-on plugin in IP5HF1 and deactivated old SAML installation exits. After configuring SAML2 Update 1 properties for our IDP, when we are sending the signed authentication request, IDP is rejecting by throwing "Invalid signature" in SAML response. Following errors are thrown in system logs.

find_real_file.png

Issue is system is not signing the authentication request while sending to IDP although appropriate certificate and keystore is configured in the "saml2_update1_properties" record and "Sign authentication request" checkbox is checked.

Does anybody have any idea about what causing this issue?

Regards,

Subhrajit

Preview file
38 KB
0 Helpfuls
  • 1,732 Views
4 REPLIES 4

corina
ServiceNow Employee
ServiceNow Employee

‎07-27-2017 04:42 AM

Hello Subhraji.



I think the real error you should concentrate on is the   Status code is urn:oasis:names:tc:SAML:2.0:status:Responder. When it is supposed to be urn:oasis:names:tc:SAML:2.0:status:Success



The signature one is just a warning.



And the error I just mentioned means you should contact your idp admin that should check closer the configuration. Something should be wrong there, you can eventually ask them to check the claiming rules.



0 Helpfuls

Subhrajit2
Giga Contributor
In response to corina

‎07-27-2017 11:30 AM

Hi Corina,



Thanks for the reply. I have checked with our IDP admin on the error. It looks like right combination of certificates are not being used for handshaking between IDP and ServiceNow instance which is causing this issue. I am working with both IDP and ServiceNow support to find root cause of these errors. On a similar note, do you know if Multi provider single sign-on support keystore record in both "jks" ad "pfx" format?



Regards,


Subhrajit


0 Helpfuls

corina
ServiceNow Employee
ServiceNow Employee
In response to Subhrajit2

‎07-27-2017 12:35 PM

Hello   Subhrajit.



I could not find this documented, but from what I was able to gather, jks is the only supported one.


0 Helpfuls

Subhrajit2
Giga Contributor
In response to corina

‎08-11-2017 08:39 AM

Hi Corina,



Finally I figured it out.


if the "require_signed_authnrequest" and "require_signed_logoutrequest" fields are checked on identity provider configuration record, system signs the authentication request (both login and logout) using the certificate stored within the private keystore record (.jks format).This embedded certificate should match with the certificate configured in IDP configuration so that it can recognize and validate the signed authentication request.



The real issue is, most organizations use a valid trusted public certificate for signing (not the cert present inside the keystore which is not trusted) and the private keystore does not contain that public cert by default. We have to use JAVA keytool or other relevant tool to import the public cert into the keystore to complete the chain.



This is a big architectural design change between older SAML2 and new multi provider single sign-on plugin which is nowhere documented.



Hope this will help others who want to use certificate in multi-SSO plugin.



Regards,


Subhrajit


0 Helpfuls