Unsupported SAML signature algorithms in IAM 7.6 and later

This article explains why certain unsafe signature algorithms used for SAML are no more supported in Airlock IAM 7.6 and later and what to do about it.

Affected features and versions

  • Affected IAM versions:
  • IAM 7.6 and later
  • Affected Loginapp UI features:
  • SAML IDP (identity provider)
  • SAML SP (service provider)

Problem description

Airlock IAM 7.6 uses Java 17 which enables so-called secure validation by default. As a consequence, some older cryptographic algorithms are disabled for security reasons.

Depending on the configuration the disabled algorithms may be used in SAML (Airlock IAM as IDP or SP) and therefore the SAML features may fail to work and write a log message similar to the following example:

Example message for the SAML SP:

001 SPAssertionConsumerService: 
Exception while processing SAML message 
com.sun.identity.saml2.common.SAML2Exception: Single Sign On failed. 
...  

The reason for the failure is only logged in DEBUG log level:

Example log output if the rsa-sha1 algorithm is used:

SPACSUtils: SPACSUtils.processResponseForFedletcom.sun.identity.saml2.common.SAML2Exception: It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 when secure validation is enabled...
  • The following XML signature algorithms are affected in SAML:
  • http://www.w3.org/2000/09/xmldsig#dsa-sha1
  • http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • http://www.w3.org/2001/04/xmldsig-more#rsa-md5

Check the IAM SAML configuration to find out if your deployment is affected.

The allowed XML signature verification algorithms are configured in:
Loginapp >> SAML Settings >> SAML Federation Settings >> Allowed XML Signature Algorithm(s)

The XML signature algorithm for signing messages is configured in:
Loginapp >> SAML Settings >> SAML Federation Settings >> XML Signature Algorithm

Preferred solution: use new algorithms

The preferred solution is to change your SAML setup to use up-to-date XML signature algorithms.

However, this may affect other parties involved in the SAML setup: all SPs and the IDP must support the algorithms. Note, that XML signature algorithms are not only used for SAML assertions but for all digitally signed SAML messages.

  • Systems to check when changing to new signing algorithms:
  • If Airlock IAM is the IDP: make sure all involved SPs support at least one of the newly allowed XML signature algorithms.
  • If Airlock IAM is the SP: make sure the IDP supports at least one of the newly allowed XML signature algorithms.
  1. To change the allowed XML signature algorithms:
  2. Go to:
    Loginapp >> SAML Settings >> SAML Federation Settings
  3. Adapt the value of property XML Signature Algorithm to change the algorithm used to sign SAML messages.
  4. Adapt the list of values of property Allowed XML Signature Algorithm(s) to change the list of allowed signature algorithms used to verify signed SAML messages.
    • Depending on the new algorithms, cryptographic key material has to be updated:
    • Public keys in the SAML metadata files (idp.xml and sp.xml) may need to be updated.
    • Private keys may need to be updated.

    Example:
    If changing from a DSA to an RSA algorithm, new key pairs have to be generated.

Alternative solution – allow old algorithms

  • As an alternative, the disallowed algorithms may be enabled. This avoids making changes in the SAML peers (remote SPs or IDP) but has the following disadvantages:
  • The disabled algorithms are less secure.
  • Support for the disabled algorithms may be removed altogether in future versions.
  1. To re-enable the disabled algorithms proceed as follows:
  2. Copy the used JVM's security policy file to the common instance directory.
    Example: cp <iam-binaries-dir>/jre/conf/security/java.security <iam-install-dir>/instances/common/
  3. Remove the disallowAlg directives for the required algorithm(s). Note that it is not possible to just comment out the directive because of the multi-line string notation.
  4. In the instance configuration of all affected instances (e.g. <iam-install-dir>/instances/auth/instance.properties), set the following system property in the iam.java.opts property:
    iam.java.opts = -Djava.security.properties=instances/common/java.security
  5. Restart the affected IAM instances.

The above instructions may have to be repeated after updating Airlock IAM to a new version. A new IAM version may use a new Java JRE which may contain a more up-to-date security policy file (java.security). Without repeating the instructions above, updates to the security policy would not be applied.