SAML Problem Calculating Signature of the SAMLRequest

Report · Sep 24, 2024

Hello, has anyone run into this issue when implementing SAML for SSO or otherwise in your coldfusion application:

There was a problem when calculating the Signature of the SAMLRequest

I have tried every possible configuration of the IDP and SP, which looks like the following, however im pretty sure this has to do with the idp signcertificate, which is copy and pasted in X509Certificate format from the idp xml metadata. I've also tried a few different configurations of pasting the idp signcertificate including manually encoding it in base64.

this.security.samlsettings.idp = [{
	name: '<idpname>', 
	entityId: 'https://<idp_url>/saml2/idp',
	ssoURL: "https://<idp_url>/idp/SSO.saml2",
	sloURL: "https://<idp_url>/idp/SLO.ssaml2",
	signMessage: true, 
	signrequests: true
	signcertificate: 'thecert'  
}];
this.security.samlsettings.sp = [{
	name: '<spname>', 
	entityId: 'http://<my_application>/admin/index.cfm/main', 
	acsURL: 'https://<my_application>/admin/acs.cfm', 
	sloURL: 'https://<my_application>/admin/main/logout', 
	acsbinding: 'POST', 
	slobinding: 'POST', 
	wantassertionssigned: true, 
	logoutresponsesigned: true,
	signrequests: true,
	signkeystorepath: '/<file_path>/sso.keystore', 
	signkeystorepassword: '<passwd>', 
	signkeystorealias: 'SSODev', 
	requeststore: 'Cache'
}];

Im also including the stactrace below. Any insight would be very helpful!

java.lang.IllegalArgumentException: There was a problem when calculating the Signature of the SAMLRequest at coldfusion.saml.SamlAuth.buildSignature(SamlAuth.java:1022) at coldfusion.saml.SamlAuth.buildRequestSignature(SamlAuth.java:950) at coldfusion.saml.SamlAuth.login(SamlAuth.java:262) at coldfusion.saml.SamlAuth.login(SamlAuth.java:295) at coldfusion.saml.SamlAuth.login(SamlAuth.java:319) at coldfusion.saml.SamlRequestBuilder.initAuthRequest(SamlRequestBuilder.java:164) at coldfusion.saml.SAMLServiceImpl.InitSAMLAuthRequest(SAMLServiceImpl.java:513) at coldfusion.runtime.CFPage.InitSAMLAuthRequest(CFPage.java:17413) at cfApplication2ecfc1861989389$funcONSESSIONSTART.runFunction(/virtual/linode.com/www/htdocs/Application.cfc:563) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:623) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:553) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:516) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:463) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:438) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:310) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:975) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:696) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:503) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:115) at coldfusion.runtime.AppEventInvoker.onSessionStart(AppEventInvoker.java:465) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:512) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:162) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:97) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:81) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:231) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter(MobileDeviceDomInspectionFilter.java:57) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:450) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834)

Report · Sep 24, 2024

Not sure if this would cause the problem, but you are missing the comma after signrequests and before signcertificate in your IDP config.

My next guess would be that the actual signcertificate is not in the correct format. There are different ways to encode the certificate PEM, DER, etc. I think you want to just take a PEM cert, and then remove the BEGIN CERTIFICATE / END CERTIFICATE parts and put everything on one line.

Pete / Foundeo Inc.

Report · Sep 24, 2024

Hi Pete, thanks for the quick reply! Your comment had me rethinking the way I generated my SP cert and it did end up being an issue with the way I generated my SP keystore. Coldfusion or java had issues decrypting the keystore sso.keystore that I generate with keytool. I solved this issue by generating my keystore with the PKCS12 store type, using the following command:

keytool -genkey -alias <myalias> -keystore /<file_path>/sso.p12 -storetype PKCS12 -keyalg RSA -storepass <passwd> -validity 9999 -keysize 2048

I then exported the keystore into a .pem file with the following command and provided it to my IDP:

keytool -export -alias <myalias> -keystore /<file_path>/sso.p12 -rfc -file /<file_path>/sso.pem

Hopefully this is able to assist someone else.

Report · Sep 26, 2024

Yeah, I bet it will help someone else too, thanks for sharing what the problem was.

SAML Problem Calculating Signature of the SAMLRequest

1 Correct answer