If have configured SAML authentication on Splunk. This works correctly with our ADFS TEST environment. Now when I plug Splunk to our PROD ADFS server, I receive the error:
Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :D:\Splunk\etc\auth\idpCerts\idpCert.pem
And in the logs, I see in particular:
err=20;msg=unable to get local issuer certificate
If I go on my server, and execute the following openssl command:
D:\Splunk\bin>openssl.exe verify d:\Splunk\etc\auth\idpCerts\idpCert.pem
I receive the same error:
d:\Splunk\etc\auth\idpCerts\idpCert.pem: CN = sts.example.com - Token Signing Certificate error 20 at 0 depth lookup:unable to get local issuer certificate
My "token signing certificate" is a self-signed certificate. However it seems openssl thinks it is a certificate signed by a CA, hence the error, because of course I have no CA...
I tried to follow the answer here:
Same error. I also tried to give my certificate twice to Splunk (cert_1.pem and cert_2.pem in a folder idpCertChain_1; I was hoping Splunk would validate the leaf with the "fake CA"), it does not work either.
So my question is: how can I configure Splunk to accept my certificate? Actually Splunk does not need to validate my certificate at all. It should simply get the public key from the file, and use it to validate the SAML token sent by the IdP.
But I see no option "disable token signing cert validation"?
@arrangineni actually my PROD certificate was invalid. It had an invalid parameter that could not be used by openssl (the underlying SSL library used by Splunk). See this SO question for details: https://security.stackexchange.com/questions/178396/remove-x509v3-extensions-from-pem-file
Check here for disabling that -- authentication.conf :
signAuthnRequest = [ true | false ] * OPTIONAL * This tells Splunk whether to sign AuthNRequests. * Defaults to true.
Thanks for your input, unfortunately this is not what I'm looking for. This parameter specify whether the request to the IdP is signed or not. What I want is to disable verification of the certificate when the response is received. Note: and I do NOT want to disable verification of the signature, only validation of the "idpCert.pem" certificate.