Security

Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert

jawaj30860
New Member

I have configured SAML 2.0 SSO with our own IdP.
My local splunk app http://khal:8000/ successfully redirect to Assertion consumer URL. Then I enter user and pass there and get an error message on spunk login page:

Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert

Here is /opt/splunk/var/log/splunk/splunkd.log:

11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=341:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/CN=selfSi
gned; issuer=/CN=selfSignedCA; err=20; msg=unable to get local issuer certificate
11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=380:obj=x509-store:subj=unknown:error=71:certificate verification failed:subject=/CN=selfSigned; issuer=/CN=s
elfSignedCA; err=20; msg=unable to get local issuer certificate
11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecOpenSSLKeyDataX509VerifyAndExtractKey:file=x509.c:line=1505:obj=x509:subj=unknown:error=72:certificate is not found:details=NULL
11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecOpenSSLKeyDataX509XmlRead:file=x509.c:line=655:obj=x509:subj=xmlSecOpenSSLKeyDataX509VerifyAndExtractKey:error=1:xmlsec library function failed: 
11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=117:obj=x509:subj=xmlSecKeyDataXmlRead:error=1:xmlsec library function failed:node=X509Data
11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecKeysMngrGetKey:file=keys.c:line=1230:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec library function failed:node=KeyInfo
11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: 
11-27-2019 16:59:30.229 +0200 ERROR XmlParser - func=xmlSecDSigCtxVerify:file=xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed: 
11-27-2019 16:59:30.229 +0200 ERROR Saml - Error: Failed to verify signature with cert :/opt/splunk/etc/auth/idpCerts/idpCert.pem;
11-27-2019 16:59:30.229 +0200 ERROR Saml -  Unable to verify Saml document 
11-27-2019 16:59:30.229 +0200 ERROR UiSAML - Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert 

Here is /opt/splunk/etc/system/local/authentication.conf:

[saml]
entityId = splunkEntityId
fqdn = http://khal
idpSLOUrl = https://idp.cloud.imprivata.com/BOE/saml2/slo/post
idpSSOUrl = https://idp.cloud.imprivata.com/BOE/saml2/sso/post
inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256
issuerId = https://idp.cloud.imprivata.com/BOE/saml2
redirectPort = 8000
replicateCertificates = true
signAuthnRequest = true
signatureAlgorithm = RSA-SHA256
signedAssertion = true
sloBinding = HTTP-POST
sslKeysfile = /opt/splunk/etc/auth/server.pem
sslKeysfilePassword = $7$3creInbv0FSAruNBlecI/Ax+eJmCOy2kaKaGi/AYzwNChCylHgv/cQ==
ssoBinding = HTTP-POST

Environment:
OS: 18.04.1-Ubuntu.
Splunk Enterprise: splunk-7.3.3-7af3758d0d5e-linux-2.6-amd64 and splunk-8.0.0-1357bef0a7f6-linux-2.6-amd64

P.S: We are using self signed certificates, so answer in https://answers.splunk.com/answers/543221/problem-with-saml-cert-error-uisaml-verification-o.html doesn't apply.

Tags (2)
0 Karma

ericnewman
Explorer

In our case we were configuring Splunk for SAML authentication with Ping as the identity provider (IDP) with Splunk Enterprise version 8.2.7.1. After extensive troubleshooting we discovered that we needed a few check boxes in the Ping certificate configuration.

  • INCLUDE THE CERTIFICATE IN THE SIGNATURE <KEYINFO> ELEMENT
  • INCLUDE THE RAW KEY IN THE SIGNATURE <KEYVALUE> ELEMENT

PingCertificateConfiguration.PNG

We discovered this after comparing the SAMLResponse between a working and non-working environment and noticing that the KeyInfo data was missing in the 

 

 

<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[CERTIFICATE TEXT REDACTED]
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>[MODULUS TEXT REDACTED]
</ds:Modulus>
<ds:Exponent>AQAB
</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo> 

 

 



0 Karma

jkat54
SplunkTrust
SplunkTrust

It's complaining about your splunkd tls certificate

You need valid ssl certs on the splunk daemon for this to work properly.

Please work with your certificates team to get a valid tls cert for your splunk server. Then install it properly and this error should go away (assuming the idP is trusting the CA that issues your cert).

0 Karma

jawaj30860
New Member

Thanks for responding. Can you please be more specific and provide more details . I don't understand what is the relation between splunkd tls certificate with SAML exchange? It's a sandbox and I use self signed certificates.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You'll find it's nearly impossible to use self signed for saml.

Perhaps if you want to load splunks certs in trusted root stores on all your sandboxed devices... I suppose it could work....

Is your identity provider in your sandbox as well?

0 Karma

jawaj30860
New Member

IdP is on remote server in cloud while I have local instance of Splunk Enterprise where I test it out.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You'll want use a "valid" cert however you choose how to make it "valid" is up to you.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You could configure the idP to trust the server.pem file you're specifying in your [saml] stanza for example

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...