Security

SAML signature validation: "unable to get local issuer certificate" with self-signed certificate

matthieuch
New Member

If have configured SAML authentication on Splunk. This works correctly with our ADFS TEST environment. Now when I plug Splunk to our PROD ADFS server, I receive the error:

Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :D:\Splunk\etc\auth\idpCerts\idpCert.pem

And in the logs, I see in particular:

err=20;msg=unable to get local issuer certificate

If I go on my server, and execute the following openssl command:

D:\Splunk\bin>openssl.exe verify d:\Splunk\etc\auth\idpCerts\idpCert.pem

I receive the same error:

d:\Splunk\etc\auth\idpCerts\idpCert.pem: CN = sts.example.com - Token Signing Certificate
error 20 at 0 depth lookup:unable to get local issuer certificate

My "token signing certificate" is a self-signed certificate. However it seems openssl thinks it is a certificate signed by a CA, hence the error, because of course I have no CA...
I tried to follow the answer here:
https://answers.splunk.com/answers/408134/saml-assertion-signature-verification-failed-unabl.html

Same error. I also tried to give my certificate twice to Splunk (cert_1.pem and cert_2.pem in a folder idpCertChain_1; I was hoping Splunk would validate the leaf with the "fake CA"), it does not work either.

So my question is: how can I configure Splunk to accept my certificate? Actually Splunk does not need to validate my certificate at all. It should simply get the public key from the file, and use it to validate the SAML token sent by the IdP.
But I see no option "disable token signing cert validation"?
Any ideas?

Labels (1)
0 Karma

arrangineni
Path Finder

@matthieuch I am facing the same error. Did you find resolution for this error?

0 Karma

matthieuch
New Member

@arrangineni actually my PROD certificate was invalid. It had an invalid parameter that could not be used by openssl (the underlying SSL library used by Splunk). See this SO question for details: https://security.stackexchange.com/questions/178396/remove-x509v3-extensions-from-pem-file

0 Karma

DavidHourani
Super Champion

Check here for disabling that -- authentication.conf :
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authenticationconf

signAuthnRequest = [ true | false ]
* OPTIONAL
* This tells Splunk whether to sign AuthNRequests.
* Defaults to true.
0 Karma

matthieuch
New Member

Thanks for your input, unfortunately this is not what I'm looking for. This parameter specify whether the request to the IdP is signed or not. What I want is to disable verification of the certificate when the response is received. Note: and I do NOT want to disable verification of the signature, only validation of the "idpCert.pem" certificate.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...