Security

SAML signature validation: "unable to get local issuer certificate" with self-signed certificate

New Member

If have configured SAML authentication on Splunk. This works correctly with our ADFS TEST environment. Now when I plug Splunk to our PROD ADFS server, I receive the error:

Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :D:\Splunk\etc\auth\idpCerts\idpCert.pem

And in the logs, I see in particular:

err=20;msg=unable to get local issuer certificate

If I go on my server, and execute the following openssl command:

D:\Splunk\bin>openssl.exe verify d:\Splunk\etc\auth\idpCerts\idpCert.pem

I receive the same error:

d:\Splunk\etc\auth\idpCerts\idpCert.pem: CN = sts.example.com - Token Signing Certificate
error 20 at 0 depth lookup:unable to get local issuer certificate

My "token signing certificate" is a self-signed certificate. However it seems openssl thinks it is a certificate signed by a CA, hence the error, because of course I have no CA...
I tried to follow the answer here:
https://answers.splunk.com/answers/408134/saml-assertion-signature-verification-failed-unabl.html

Same error. I also tried to give my certificate twice to Splunk (cert_1.pem and cert_2.pem in a folder idpCertChain_1; I was hoping Splunk would validate the leaf with the "fake CA"), it does not work either.

So my question is: how can I configure Splunk to accept my certificate? Actually Splunk does not need to validate my certificate at all. It should simply get the public key from the file, and use it to validate the SAML token sent by the IdP.
But I see no option "disable token signing cert validation"?
Any ideas?

Labels (1)
0 Karma

Path Finder

@matthieuch I am facing the same error. Did you find resolution for this error?

0 Karma

New Member

@arrangineni actually my PROD certificate was invalid. It had an invalid parameter that could not be used by openssl (the underlying SSL library used by Splunk). See this SO question for details: https://security.stackexchange.com/questions/178396/remove-x509v3-extensions-from-pem-file

0 Karma

Super Champion

Check here for disabling that -- authentication.conf :
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authenticationconf

signAuthnRequest = [ true | false ]
* OPTIONAL
* This tells Splunk whether to sign AuthNRequests.
* Defaults to true.
0 Karma

New Member

Thanks for your input, unfortunately this is not what I'm looking for. This parameter specify whether the request to the IdP is signed or not. What I want is to disable verification of the certificate when the response is received. Note: and I do NOT want to disable verification of the signature, only validation of the "idpCert.pem" certificate.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!