Brief Description:

SAML Assertion signature verification failed

Detailed Description:

Problem in verifying and validating the token while authenticating with SAML. User getting error on the screen “Unable to process the SAML WebSSO request: You%27re not authorized to access application name the application

We installed HFIX-42795.jar Hotfix some time back to support WS-FED protocol.

HFIX-42795: Parsing the RSTR token and processing the SAML assertion is performed on step 5, using the new processSAMLv2Assertion Java method imported in to Pega using the hotfix provided by Pega Engineering (HFix-42795).

It was working fine for some time and from yesterday it is giving error in all the environments. We didn't make any changes or moved any code.

Steps to Reproduce:

Log in as user with SSO url.

Error is shown to the user, screen shot attached along with java code which is failing.

Error Message:

From logs we found the error:

"SAML Assertion signature verification failed : SAML token security failure"

- Start Authentication step10 getMessage : SAML Assertion signature verification failed : SAML token security failure

Activity: pyWSFedWebSSOAuthenticationActivity

Step: In Java step to Validate & process SAML Response and Extract required attribute values and store the assertion into a local variable

Line of code causing error:

attributesMap = pega.getSAMLUtils().processSAMLv2Assertion(assertion, truststore);

processSAMLv2Assertion calling 2 methods

oLog.debug("Trying to validate SAML assertion signature");

SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(assertion);

SAMLv2ResponseProtocolValidator validator = new SAMLv2ResponseProtocolValidator();

KeyStore keystore = KeyStoreUtilsImpl.getInstance(ThreadContainer.get()).getKeystore(truststore);

Attempted Solutions:

Verified certificate and it is valid and not expired.

Same certificate is working fine from .net and other applications.

Issue is happening in SSO activity "pyWSFedWebSSOAuthenticationActivity"

Research & Solution:

Time difference between the authentication server & pega server is 3hr’s which is causing issue. When the token is returned from authentication service will send Valid from and Valid to (60 min) along with the token. So because of the time difference current time is not falling between the time periods provided by the authentication service so we were getting error.

We had call with Pega & got the classes (which are part of Hotfix source code) to be traced and after tracing we found that the current date time is not falling between validate from & validate to.

After syncing the timing between the servers the issue is resolved.

Follow Up Question / Enhancement Request:

Except Pega other applications in the organization are working fine even there is a time difference between the servers.

This is because they configured it such a way that it will accept 3hr’s difference but in Pega we are not able to do it as it is coming from Apache code which is defaulted to 60Sec.

When we checked Source code of the class SamlAssertionValidator.java it is adding FutureTTL 60Sec to the actual timings and it is fixed value.

Ref: https://jar-download.com/artifacts/org.apache.wss4j/wss4j-ws-security-dom/2.1.7/source-code/org/apache/wss4j/dom/validate/SamlAssertionValidator.java

https://jar-download.com/artifacts/org.apache.wss4j/wss4j-ws-security-common/2.1.7/source-code/org/apache/wss4j/common/saml/SamlAssertionWrapper.java

Is it possible to make newFutureTTL as a configurable setting from server side so that we can manage time difference effectively?

Or there is there a better way to manage the server time difference is pega?

***Moderator Edit-Vidyaranjan: Updated FDBK ID***