Signature algorithm is not supported error when verifying a signed SAML assertion in AM 5.x or 6.x
The purpose of this article is to provide assistance if you receive a "com.sun.identity.saml2.common.SAML2Exception: Signature algorithm is not supported" error when attempting to verify a signed SAML assertion in AM if you are using the HTTP-Redirect binding.
2 readers recommend this article
Symptoms
The following error is shown in the Federation debug log when verifying a signed SAML assertion:
ERROR: IDPSSOFederate.doSSOFederate: authn request verification failed. com.sun.identity.saml2.common.SAML2Exception: Signature algorithm is not supported. at com.sun.identity.saml2.common.QuerySignatureUtil.verify(QuerySignatureUtil.java:310) at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:384) at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:129) at jsp_servlet._saml2._jsp.__idpssofederate._jspService(__idpssofederate.java:130)Recent Changes
Added a new XML signature for requests.
Introduced HTTP-Redirect binding for AuthnRequest or other non-web SSO requests such as LogoutRequest.
Causes
The XML signature you used for requests (when the binding used is HTTP-Redirect) is not supported.
The list of supported signature algorithms is shown in the documentation: Reference › Algorithms.
Note
ForgeRock strongly recommends using *SHA-256 variants (rsa-sha256 or ecdsa-sha256).
Solution
This issue can be resolved by using a supported XML signature (QuerySignatureUtil) for your requests. Requests are only signed by QuerySignatureUtil when the binding used is HTTP-Redirect.
HTTP-POST or HTTP-Artifact bindings
If you use HTTP-POST or HTTP-Artifact bindings for responses and want to control the response signing mechanism, the Global level setting should be sufficient; HTTP-Redirect binding in the web SSO profile can only be used for transferring requests, not responses. You can configure the signature algorithms for these responses in the console as follows:
- Navigate to: Configure > Global Services > Common Federation Configuration > Algorithms > XML signature algorithm and select the required signature.
- Save your changes.
- Restart the web application container in which AM runs to apply these changes.
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A