Troubleshooting
Problem
Some identity providers (IdP) use the Service Provider certificate
<alias>-sp-cert.pem as part of signing of all SAML interactions between the IdP and IBM QRadar SOAR. If the Service Provider certificate expires and the IdP uses it to sign all SAML interactions, SSO does not work. Producing "An error occurred."Symptom
Users might see the message, "An error occurred. For additional support, please contact your system administrator" when they try to authenticate.
The /usr/share/co3/logs/client.log might return code "
sso urn:oasis:names:tc:SAML:2.0:status:Responder". This responder error is sent by the IdP, and is normally due to a configuration problem with the IdP:
[https-jsse-nio2-443-exec-7] WARN [] com.co3.web.servlet.saml.SAMLServlet - SAML response contained an error status: POST https://<soar.domain.com>/saml2/<alias>/sso urn:oasis:names:tc:SAML:2.0:status:Responder
[https-jsse-nio2-443-exec-7] ERROR [] com.co3.web.servlet.Co3ServletFilterBase - Error processing request POST:/saml2/<alias>/sso
java.lang.RuntimeException: javax.servlet.ServletException: javax.servlet.ServletException: https://<soar.domain.com>/saml2/<alias>/sso
(..)
[http-nio-443-exec-2] WARN [] com.co3.web.servlet.saml.SAMLServlet - SAML response contained an error status: POST https://<soar.domain.com>/saml2/<alias>/sso urn:oasis:names:tc:SAML:2.0:status:Responder Unable to verify the signature
[http-nio-443-exec-2] ERROR [] com.co3.web.servlet.Co3ServletFilterBase - Error processing request POST:/saml2/<alias>/sso
java.lang.RuntimeException: javax.servlet.ServletException: javax.servlet.ServletException: https://<soar.domain.com>/saml2/<alias>/sso
Cause
In this instance, the Service Provider certificates used by the IdP are expired.
Diagnosing The Problem
Determine whether the certificates are expired:
- SSH to SOAR.
- Change directory to a working directory.
- Run
resutiltool to show the certificate in use:sudo resutil samlshow - In the working directory, there is <alias>-metadata.xml and <alias>-sp-cert.pem. The names of the files match the alias that you provided when the configuration was created. The alias is shown in the output.
- Open the certificate for viewing:
openssl x509 -in <alias>-sp-cert.pem -text -noout - Confirm that the certificate expiration date passed.
Resolving The Problem
If the certificate is expired, then a new one needs to be created:
- Back up to a text editor current certificate information:
Note: it is best to back up the entire output.sudo resutil samlshow - Delete the SAML configuration:
sudo resutil samldel -alias <alias> - Using the output of
resutil samlshow, from step 1, create a new command to re-create the SAML configuration with the same values:sudo resutil samledit -alias <alias> -org "Production" -org "Development" -certfile idp_signing_certificate.cer -loginurl https://adfs.example.com/adfs/ls/ -logouturl https://adfs.example.com/adfs/ls/Note: replace<alias>, Production, Development,idp_signing_certificate.cer, andhttps://adfs.example.com/adfs/ls/with your environments variables. - Send
<alias>-metadata.xmland<alias>-sp-cert.pemto your IdP team.
Results
Your identity provider (IdP) team imports the new Service Provider certificate, then users authenticate correctly.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001h4dAAA","label":"Authentication-\u003ESAML"}],"ARM Case Number":"TS013493690","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
05 July 2023
UID
ibm17009355