- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- SAML signature validation: "unable to get local is...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SAML signature validation: "unable to get local issuer certificate" with self-signed certificate
If have configured SAML authentication on Splunk. This works correctly with our ADFS TEST environment. Now when I plug Splunk to our PROD ADFS server, I receive the error:
Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :D:\Splunk\etc\auth\idpCerts\idpCert.pem
And in the logs, I see in particular:
err=20;msg=unable to get local issuer certificate
If I go on my server, and execute the following openssl command:
D:\Splunk\bin>openssl.exe verify d:\Splunk\etc\auth\idpCerts\idpCert.pem
I receive the same error:
d:\Splunk\etc\auth\idpCerts\idpCert.pem: CN = sts.example.com - Token Signing Certificate
error 20 at 0 depth lookup:unable to get local issuer certificate
My "token signing certificate" is a self-signed certificate. However it seems openssl thinks it is a certificate signed by a CA, hence the error, because of course I have no CA...
I tried to follow the answer here:
https://answers.splunk.com/answers/408134/saml-assertion-signature-verification-failed-unabl.html
Same error. I also tried to give my certificate twice to Splunk (cert_1.pem and cert_2.pem in a folder idpCertChain_1; I was hoping Splunk would validate the leaf with the "fake CA"), it does not work either.
So my question is: how can I configure Splunk to accept my certificate? Actually Splunk does not need to validate my certificate at all. It should simply get the public key from the file, and use it to validate the SAML token sent by the IdP.
But I see no option "disable token signing cert validation"?
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@matthieuch I am facing the same error. Did you find resolution for this error?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arrangineni actually my PROD certificate was invalid. It had an invalid parameter that could not be used by openssl (the underlying SSL library used by Splunk). See this SO question for details: https://security.stackexchange.com/questions/178396/remove-x509v3-extensions-from-pem-file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check here for disabling that -- authentication.conf :
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authenticationconf
signAuthnRequest = [ true | false ]
* OPTIONAL
* This tells Splunk whether to sign AuthNRequests.
* Defaults to true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your input, unfortunately this is not what I'm looking for. This parameter specify whether the request to the IdP is signed or not. What I want is to disable verification of the certificate when the response is received. Note: and I do NOT want to disable verification of the signature, only validation of the "idpCert.pem" certificate.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
