Support Article
OpenSAML exception: Signature contained an invalid transform
SA-34068
Summary
The simulated IDP (Identity Provider) generates the following error in Pega:
Caused by: org.opensaml.xml.validation.ValidationException: Signature contained an invalid transform
Error Messages
[12/21/16 11:45:09:226 CST] 00000055 SystemOut O 2016-12-21 11:45:09,226 [ WebContainer : 0] [ STANDARD] [ ] [ TRK:01.01.01] ( internal.util.PRSAMLv2Utils) ERROR <ip1>|<ip2> - Caught Exception while processing SAML2 Authentication response
com.pega.pegarules.pub.PRRuntimeException: Caught Exception while validating SAML2 Authentication response protocol : Signature contained an invalid transform
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validate(SAMLv2ResponseProtocolValidator.java:231)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.validateResponse(PRSAMLv2Utils.java:551)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processAuthenticationResponse(PRSAMLv2Utils.java:519)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_e18957af03a96f9470088729fb85c0d9.step18_circum0(ra_action_pysamlwebssoauthenticationactivity_e18957af03a96f9470088729fb85c0d9.java:1686)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_e18957af03a96f9470088729fb85c0d9.perform(ra_action_pysamlwebssoauthenticationactivity_e18957af03a96f9470088729fb85c0d9.java:401)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3510)
at com.pega.pegarules.session.internal.mgmt.authentication.AuthenticationUtil.runActivity(AuthenticationUtil.java:209)
at com.pega.pegarules.session.internal.mgmt.authentication.SchemePRCustom.authenticateOperator(SchemePRCustom.java:702)
at com.pega.pegarules.session.internal.mgmt.authentication.Authentication.doAuthentication(Authentication.java:466)
at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.doHttpReqAuthentication(HTTPAuthenticationHandler.java:103)
at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.handleAuthentication(HttpAPI.java:2157)
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.activityExecutionProlog(EngineAPI.java:548)
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequestInner(EngineAPI.java:388)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:613)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.performTargetActionWithLock(PRSessionProviderImpl.java:1277)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:1015)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:848)
......
Caused by:
org.opensaml.xml.validation.ValidationException: Signature contained an invalid transform
at org.opensaml.security.SAMLSignatureProfileValidator.validateTransforms(SAMLSignatureProfileValidator.java:236)
at org.opensaml.security.SAMLSignatureProfileValidator.validateSignatureImpl(SAMLSignatureProfileValidator.java:86)
at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:56)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLPostBindingHandler.verify(SAMLPostBindingHandler.java:190)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validate(SAMLv2ResponseProtocolValidator.java:140)
... 72 more
Steps to Reproduce
Not Applicable
Root Cause
An issue in the custom application code or rules. Customized code to sign the SAML assertion uses unsupported transform.
Resolution
Make the following change to the signing code to use one of the following transforms supported by opensaml:
http://www.w3.org/2006/12/xml-c14n11
http://www.w3.org/2006/12/xml-c14n11#WithComments
http://www.w3.org/2000/09/xmldsig#enveloped-signature
Published March 16, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.