SAML authn request verification failed error in AM (All versions) when doing a SP initiated SSO
The purpose of this article is to provide assistance if you encounter an "Invalid signature in Request" error when doing a SP initiated Single Sign On (SSO) flow where AM is the identity provider (IdP), and IG is either the service provider (SP) or IG is in front of AM with a third-party SP. You will also see "authn request verification failed" errors in your logs.
The SP initiated SSO flow fails but the IdP initiated login flow succeeds.
You will see a HTTP 500 error in your browser with the following message when this happens:
Invalid signature in Request.
The following error is shown in the Federation debug log when this happens:libSAML2:01/10/2021 02:12:51:582 PM BST: Thread[default task-8,5,main]: TransactionId[f7569d46-1326-6844-911a-41aff-ae14ce9-835239] ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed. libSAML2:01/10/2021 02:12:51:583 PM BST: Thread[default task-8,5,main]: TransactionId[f7569d46-1326-6844-911a-41aff-ae14ce9-835239] Invoking IDP adapter preSendFailureResponse hook libSAML:01/10/2021 02:12:51:584 PM BST: Thread[default task-8,5,main]: TransactionId[f7569d46-1326-6844-911a-41aff-ae14ce9-835239] SAMLUtils.sendError: error page/saml2/jsp/saml2error.jsp
Made changes to the federation configuration, which resulted in both of the following being true:
- The HTTP-REDIRECT request binding is used.
- Signature validation is enabled.
IG does not preserve query strings by default but the HTTP-REDIRECT binding sends the SAML request (including signature information) in the URL query string of an HTTP GET request. This means that the signed authentication request sent by the SP (either IG itself or via IG) has encoded query strings, which is not what AM is expecting, and as a result, AM cannot validate the request signature.
You can see this encoding if you compare the SAMLRequest in the HAR file (what is being sent by the SP) to the SAMLRequest in the AM debug logs (what AM receives) and you will notice the query strings have encoded characters. For example,
+ in the HAR file is replaced with
%2B in the debug logs,
/ is replaced with
%2F and so on.
This issue can be resolved using one of the following approaches:
- Set the
preserveOriginalQueryStringproperty to true in IG 6.5.1 and later. This setting applies to all routes so may affect other applications and should be tested before implementation. See AdminHttpApplication (admin.json) for further information.
- Use the HTTP-POST binding, which does not use query strings to send the request and instead sends it as part of the postData. You will need to contact the SP and request they send the SAML request using HTTP-POST rather than HTTP-Redirect.
How do I know which binding to use for SAML2 federation in Identity Cloud or AM (All versions)?
SAML 2.0 single sign-on and federation
Related Issue Tracker IDs