OpenAM SAML configuration error "Missing signature algorithm"

ERROR: QuerySignatureUtil.verify: Null SigAlg query parameter.

libSAML2:07/05/2018 06:38:12:713 PM EDT: Thread[http-bio-127.0.0.1-8443-exec-3,5,main]: TransactionId[c6d8f6a3-a9e1-4820-a30b-38350fc47d11-51806]

ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.

com.sun.identity.saml2.common.SAML2Exception: Missing signature algorithm.

When coding make sure following.

Create your AuthN request making sure that when you create the signature to combine all 3 parameter elements and then sign it:


String authnrequest = "SAMLRequest=" + encodedRequestMessage
                                        + "&RelayState=" + URLEncoder.encode(relayURL, "UTF-8")
                                        + "&SigAlg=" + URLEncoder.encode(sigAlg, "UTF-8");
java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA");
signature.initSign(privateKey);
signature.update(authnrequest.getBytes(Charset.forName("UTF-8")));
byte[] signatureByteArray = signature.sign();
String signatureBase64encodedString = Base64.encodeBytes(signatureByteArray, Base64.DONT_BREAK_LINES);
return idpUrlREDIRECT + "?"
       + authnrequest
      + "&Signature="
      + URLEncoder.encode(signatureBase64encodedString, "UTF-8");



The resulting AuthN request should look something like the following:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                   AssertionConsumerServiceURL="http://localhost:8084/DBAuthentication/samllogin"
                   Destination="https://ssoidp.lb.com:443/openam/SSORedirect/metaAlias/idp"
                   ID="ckimokpjjjongadnnkfbophokmmhdfhilckkknac"
                   IssueInstant="2018-09-05T15:15:48.936Z"
                   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                   ProviderName="http://localhost:8084/DBAuth/sp"
                   Version="2.0">
 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8084/DBAuth/sp</saml:Issuer>
 <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
 <samlp:RequestedAuthnContext Comparison="exact">
   <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
 </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

OpenAM ERROR: IDPSSOFederate.doSSOFederate: Unable to get AuthnRequest from cache, sending error response ---

The cache is cleared every 10 minutes by default, but you may want to consider increasing this interval if you keep seeing the following error in the Federation debug log

AM / OpenAM 13.x console: navigate to: Configure > Global Services > SAMLv2 Service Configuration > Cache cleanup interval and enter the number of seconds that you want the AuthnRequest to remain in the cache. Once this time elapses, the cache is cleared.



./ssoadm set-attr-defs -s sunFAMSAML2Configuration -t global -u [adminID] -f [passwordfile] -a CacheCleanupInterval=[seconds]

OpenAM mod auth mellon multi domain multi server Apachi setup

The Apache Server document could be updated to clarify a few things with regards to load balanced web sites and multiple web virtual hosts.

For load balanced sites that use host specific key/certificate pairs then there needs to be a metadata file for each web server with a unique EntityID, because of the different certs

For web servers providing multiple web vhosts a global mellon.conf doesn’t work for all of the sites. Each vhost that needs to use SAML auth will need their own mellon.conf that specifies the site specific MellonSPMetadataFile and Endpoint URL

My setup:
Load Balanced Web Servers
web1-co-dmz
web2-co-dmz

Web Virtual Hosts, configured on each web server
vhost1.com
vhost2.com

Multi-Domain Certificate that includes both names. Each server has its own private key certificate pair.
For the EntityIDs I used the following:
entityID="https://vhost1.com_web1”
entityID="https://vhost1.com_web2”
entityID="https://vhost2.com_web1”
entityID="https://vhost2.com_web2"

I wound up creating two mellon.conf files in /etc/httpd/conf/saml2 on each web server.
web1-co-dmz:/etc/httpd/saml2/https_vhost2.com_web1.xml
web1-co-dmz:/etc/httpd/saml2/https_vhost1.com_web1.xml
web2-co-dmz:/etc/httpd/saml2/https_vhost2.com_web2.xml
web2-co-dmz:/etc/httpd/saml2/https_vhost1.com_web2.xml

I then added an Include to each web vhost configuration, example:
vhost1.v-vhost.conf: Include saml2/www_mellon.conf
vhost2.com-vhost.conf: Include saml2/data_mellon.conf

I hope that helps