Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with SAML cert: "ERROR UiSAML - Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :/opt/splunk/etc/auth/idpCerts/idpCert.pem"

rphillips_splk
Splunk Employee
Splunk Employee
‎05-30-2017 11:32 AM

Problem:
After setting up SAML configuration, when logging into the UI you are presented with the following error also logged in splunkd.log:

05-25-2017 15:19:13.453 +0000 ERROR UiSAML - Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :/opt/splunk/etc/auth/idpCerts/idpCert.pem;

Environment:
IdP: Ping Identity
Splunk 6.6.0
Linux x86 _64

Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎05-30-2017 11:35 AM

This was happening because the certificate that got sent across in the assertion is just a leaf certificate. You will need to upload the root, intermediate and leaf certificate from the idP to Splunk for us to verify its validity.
This can be done from the UI > access controls -> authentication method -> saml settings -> configure SAML > IdP certificate chains

  • You can chain all 3 here. Create the cert chain by Root first and then intermediate then leaf
  • The certs have to be base 64 encoded format and will require the Begin Certificate and End Certificate Tags as delimeters

-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the leaf certificate)...
-----END CERTIFICATE-----

Once you do that, Splunk will create a new directory
Splunk will create this idpCertChain_1 directory and put the root cert as cert_1.pem, the intermediate cert as cert_2.pem, and the leaf cert as cert_3.pem

splunk@sh1:~/etc/auth/idpCerts/idpCertChain_1$ pwd
/opt/splunk/etc/auth/idpCerts/idpCertChain_1
splunk@sh1:~/etc/auth/idpCerts/idpCertChain_1$ ls
cert_1.pem cert_2.pem cert_3.pem

Then you will just have to remove the idpCert.pem in etc/auth/idpCerts and it will be a valid chain.

View solution in original post

Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎05-30-2017 11:35 AM

This was happening because the certificate that got sent across in the assertion is just a leaf certificate. You will need to upload the root, intermediate and leaf certificate from the idP to Splunk for us to verify its validity.
This can be done from the UI > access controls -> authentication method -> saml settings -> configure SAML > IdP certificate chains

  • You can chain all 3 here. Create the cert chain by Root first and then intermediate then leaf
  • The certs have to be base 64 encoded format and will require the Begin Certificate and End Certificate Tags as delimeters

-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the leaf certificate)...
-----END CERTIFICATE-----

Once you do that, Splunk will create a new directory
Splunk will create this idpCertChain_1 directory and put the root cert as cert_1.pem, the intermediate cert as cert_2.pem, and the leaf cert as cert_3.pem

splunk@sh1:~/etc/auth/idpCerts/idpCertChain_1$ pwd
/opt/splunk/etc/auth/idpCerts/idpCertChain_1
splunk@sh1:~/etc/auth/idpCerts/idpCertChain_1$ ls
cert_1.pem cert_2.pem cert_3.pem

Then you will just have to remove the idpCert.pem in etc/auth/idpCerts and it will be a valid chain.

Reply
Solved! Jump to solution

hethaishibkanch
New Member
‎06-04-2019 02:25 AM

Hello.., Eventhough i updated the chain certificates i am getting below error
“Verification of SAML assertion using the IDP's certificate provided failed. Cannot load certificate - /apps/splunk/etc/auth/idpCerts/.0, unrecognized file type.Error: Failed to verify signature with cert :/apps/splunk/etc/auth/idpCerts/idpCertChain_1;”

Any inputs would be helpful

0 Karma
Reply
Solved! Jump to solution

amitsaini7
New Member
‎03-13-2019 12:13 AM

I got this error.
"Failed to load trusted certificate Cannot load certificate - unrecognized file type Verify the full path including the filename is correct and points to the certificate from the IDP"

I imported cert chain number of times but no luck.

Any help would be appreciated.

0 Karma
Reply
Solved! Jump to solution

scannon4
Communicator
‎02-13-2018 07:15 AM

Thank you! This fixed my issue with chained certificates and SAML.

0 Karma
Reply
Solved! Jump to solution

maffreitas
Path Finder
‎06-20-2017 04:23 PM

Hello, first of all thank for the tip.

I did the workaround on Splunk 6.6.1 / Linux X86_64 but the problem persists.

Error message:
Failed to load trusted certificate {$SPLUNK_HOME/etc/auth/idpCerts/idpCertChain_1} Error: failed to load pem certificate from file=$SPLUNK_HOME/etc/auth/idpCerts/idpCertChain_1/cert_1.pem Verify the full path including the filename is correct and points to the certificate from the IDP.

Any tip will be very welcome. Thanks in advance.

0 Karma
Reply
Solved! Jump to solution

amitsaini7
New Member
‎03-13-2019 12:12 AM

I got the same error.
"Failed to load trusted certificate Cannot load certificate - unrecognized file type Verify the full path including the filename is correct and points to the certificate from the IDP"

I imported cert chain number of times with but no luck.

Any update on this ?

0 Karma
Reply
Solved! Jump to solution

smitra_splunk
Splunk Employee
Splunk Employee
‎01-08-2019 12:21 PM

I got this error too. Were you able to overcome the problem ?
01-08-2019 19:30:25.642 +0000 ERROR XmlParser - func=xmlSecOpenSSLAppKeysMngrCertLoad:file=app.c:line=872:obj=unknown:subj=xmlSecOpenSSLAppKeysMngrCertLoadBIO:error=1:xmlsec library function failed:filename=/opt/splunk/etc/auth/idpCerts/idpCertChain_1/cert_1.pem
01-08-2019 19:30:25.642 +0000 ERROR Saml - Unable to load cert at: /opt/splunk/etc/auth/idpCerts/idpCertChain_1
01-08-2019 19:30:25.642 +0000 ERROR UiSAML - Failed to load trusted certificate {/opt/splunk/etc/auth/idpCerts} Error: failed to load pem certificate from file=/opt/splunk/etc/auth/idpCerts/idpCertChain_1/cert_1.pem

0 Karma
Reply
Solved! Jump to solution

Paul1896
Path Finder
‎12-12-2019 12:05 AM

Have the same issue. Did you solve it on your side? @smitra_splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
li.common.scroll-to.top