Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Signature algorithm is not supported error when verifying a signed SAML assertion in AM 5.x or 6.x

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if you receive a "com.sun.identity.saml2.common.SAML2Exception: Signature algorithm is not supported" error when attempting to verify a signed SAML assertion in AM if you are using the HTTP-Redirect binding.

2 readers recommend this article

Symptoms

The following error is shown in the Federation debug log when verifying a signed SAML assertion:

ERROR: IDPSSOFederate.doSSOFederate: authn request verification failed. com.sun.identity.saml2.common.SAML2Exception: Signature algorithm is not supported.      at com.sun.identity.saml2.common.QuerySignatureUtil.verify(QuerySignatureUtil.java:310)       at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:384)       at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:129)       at jsp_servlet._saml2._jsp.__idpssofederate._jspService(__idpssofederate.java:130)

Recent Changes

Added a new XML signature for requests.

Introduced HTTP-Redirect binding for AuthnRequest or other non-web SSO requests such as LogoutRequest.

Causes

The XML signature you used for requests (when the binding used is HTTP-Redirect) is not supported.

The list of supported signature algorithms is shown in the documentation: Reference › Algorithms

Note

ForgeRock strongly recommends using *SHA-256 variants (rsa-sha256 or ecdsa-sha256).

Solution

This issue can be resolved by using a supported XML signature (QuerySignatureUtil) for your requests. Requests are only signed by QuerySignatureUtil when the binding used is HTTP-Redirect. 

HTTP-POST or HTTP-Artifact bindings

If you use HTTP-POST or HTTP-Artifact bindings for responses and want to control the response signing mechanism, the Global level setting should be sufficient; HTTP-Redirect binding in the web SSO profile can only be used for transferring requests, not responses. You can configure the signature algorithms for these responses in the console as follows:

  1. Navigate to: Configure > Global Services > Common Federation Configuration > Algorithms > XML signature algorithm and select the required signature.
  2. Save your changes.
  3. Restart the web application container in which AM runs to apply these changes. ​

See Also

FAQ: SAML certificate management in AM 5.x and 6.x

SAML Federation in AM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.