CAST Console - Authentication - SAML- org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

This page will help you solve problems related to the  CAST AIP Console configuration with SAML where you are not able to access AIP Console via SAML Authentication.

CAST AIP Console is a front end web application which provides a means to configure, run, and manage CAST AIP analyses on multiple analysis machines.

For more information, refer to:

The AIP Console SAML configuration can be reffered from : SAML authentication

 

 

Release

Yes/No

1.x (tick)
2.x (tick)

 

 

 

RDBMS

Yes/No

Oracle Server  N/A
Microsoft SQL Server  N/A
CSS3  N/A
CSS2  N/A 

 

 

Error Logs

In the GUI we will see below whitelabel error page.

In the Webi error logs we will see below error:

03:50:25.900 [https-jsse-nio-443-exec-8] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

 

Reason

"Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed"

is a SAML signature verification error.

It seems like one of the sides of the SAML partnership does not have the correct keys or certificate, or otherwise is misconfigured. 

IDP digitally signs the payload (SAML Assertion) with its key, the Console verifies the signature using the certificate. 

The cert needs to match the key. 

If the receiver (AIP Console) has the wrong cert, or a cert that does not correspond to the signing key, then you can get this kind of signature validation error message. 

So, check your keys.

 

Action Plan

Perform the below actions

  1. As the issue occurs because of mismatch in key,  IDP digitally signs the payload (SAML Assertion) with its key, the receiving party( AIP console)  verifies the signature using the certificate.  The cert needs to match the key.  If the receiver has the wrong cert, or a cert that does not correspond to the signing key, then you can get this kind of signature validation error message. 

- IDP MetaData generation

You must request the IDP MetaData from the Identity Provider you will use. In general, this is provided in an XML and this file must be stored in the following location:

Windows: <console_installation>\AipConsole\data
Linux: $HOME\CAST\AipConsole\data

You can also configure the Console to fetch MetaData as follows:

 

Relevant input

 

Ticket # 36491

 

SAML authentication

 

Have more questions? Submit a request

Comments

Powered by Zendesk