SecureAuth IdP Version Affected: All
Description:
When trying to encrypt SAML assertions the following error is seen:
In the Browser:
Error: at ComponentSpace.SAML2.Assertions.EncryptedAssertion..ctor(XmlElement samlAssertion, X509Certificate2 x509Certificate, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod) at MFC.SAML20.SAMLUtil.EncryptAssertion(XmlElement xmlSAMLAssertion, String SAMLEncryptionCert, String SAMLKeyEncryptionMethod, String SAMLEncryptionMethod) at MFC.WebApp.SecureAuth.SAML20IdPInit.CreateSAMLResponse(String sUser, String UserID) at MFC.WebApp.SecureAuth.SAML20IdPInit.Page_Load(Object sender, EventArgs e)
In the Audit log:
SAML20IdPInit exception error: Failed to encrypt SAML assertion., stack: at ComponentSpace.SAML2.Assertions.EncryptedAssertion..ctor(XmlElement samlAssertion, X509Certificate2 x509Certificate, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod)
at MFC.SAML20.SAMLUtil.EncryptAssertion(XmlElement xmlSAMLAssertion, String SAMLEncryptionCert, String SAMLKeyEncryptionMethod, String SAMLEncryptionMethod)
at MFC.WebApp.SecureAuth.SAML20IdPInit.CreateSAMLResponse(String sUser, String UserID)
at MFC.WebApp.SecureAuth.SAML20IdPInit.Page_Load(Object sender, EventArgs e)</Message></Root>
Cause:
Either the encryption certificate has been incorrectly pasted or the SAML Data Encryption Method/SAML Key Encryption Method is set to use a hashing algorithm like SHA.
Resolution:
- In the Post Authentication tab, ensure that a non hashing algorithm is used such as AES for SAML Data Encryption Method and SAML Key Encryption Method.
- When pasting the certificate in Base64 format into the "Encryption Cert" box in the Post Authentication tab, don't forget to remove the header and footers saying:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products
Comments
Please sign in to leave a comment.