The following error is shown in the Federation debug log when verifying a signed SAML assertion:ERROR: IDPSSOFederate.doSSOFederate: authn request verification failed. com.sun.identity.saml2.common.SAML2Exception: Signature algorithm is not supported. at com.sun.identity.saml2.common.QuerySignatureUtil.verify(QuerySignatureUtil.java:310) at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:384) at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:129) at jsp_servlet._saml2._jsp.__idpssofederate._jspService(__idpssofederate.java:130)
Added a new XML signature for requests.
Introduced HTTP-Redirect binding for AuthnRequest or other non-web SSO requests such as LogoutRequest.
The XML signature you used for requests (when the binding used is HTTP-Redirect) is not supported.
The list of supported signature algorithms is shown in the documentation: Reference › Algorithms.
ForgeRock strongly recommends using *SHA-256 variants (rsa-sha256 or ecdsa-sha256).
This issue can be resolved by using a supported XML signature (QuerySignatureUtil) for your requests. Requests are only signed by QuerySignatureUtil when the binding used is HTTP-Redirect.
HTTP-POST or HTTP-Artifact bindings
If you use HTTP-POST or HTTP-Artifact bindings for responses and want to control the response signing mechanism, the Global level setting should be sufficient; HTTP-Redirect binding in the web SSO profile can only be used for transferring requests, not responses. You can configure the signature algorithms for these responses in the console as follows:
- Navigate to: Configure > Global Services > Common Federation Configuration > Algorithms > XML signature algorithm and select the required signature.
- Save your changes.
- Restart the web application container in which AM runs to apply these changes.