Security

Hi all,

I'm trying to integrate Aruba ClearPass Policy Manager (CPPM) v6.11.x as a SAML IdP for a third-party SP (Cloudbrink).
Everything works fine when using Microsoft Entra ID as the IdP for the same SP, but with ClearPass, I'm running into signature validation issues.

Background & Test Environment

• SP Name: Cloudbrink

• ClearPass Version: 6.11.x

• SP SAML Metadata: Requests canonicalization method http://www.w3.org/2006/12/xml-c14n11 (XML Canonicalization v1.1)

• IdP Metadata & Certificates: Imported correctly, standard formats

• With Entra ID as IdP: SAML SSO works as expected

Issue

• When the SP (Cloudbrink) sends a SAML AuthnRequest with xml-c14n11 canonicalization, ClearPass fails at the signature verification step.

• The Access Tracker first shows:
  Signature is trusted
  ...and then immediately:
  Signature verification failed

• As a result, application login fails.

• (See attached screenshots for details.)

What I Have Tried

• Double-checked SAML metadata/certificates on both sides

• Compared SAML flows between Entra ID and ClearPass (only fails on ClearPass with c14n11)

• Reviewed official Aruba documentation and forums, but could not find a definitive answer about c14n11 support

Screenshots Provided

1. Access Tracker Screenshot:

   • Shows that certificate validation passes with "Signature is trusted," but then signature verification fails, resulting in login failure.

2. Packet Capture Screenshot:

   • Even when Access Tracker shows "application login failure," the underlying error is still Signature verification failed.

Both screenshots are attached to clarify the sequence of validation and error points in the SAML authentication process.

My Questions

1. Does ClearPass (CPPM) support SAML XML canonicalization method v1.1 (xml-c14n11)?

2. Is only Exclusive Canonicalization (xml-exc-c14n#) supported?

3. Has anyone successfully integrated ClearPass IdP with an SP that requires xml-c14n11?

4. Any known workaround, settings, or roadmap for xml-c14n11 support in ClearPass?

Sample SAML Request Snippet

<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
    <!-- ... -->
</ds:SignedInfo>

Additional Notes

• Both SP and IdP metadata exchange and trust chain seem correct.

• If additional logs or SAML traces are needed, I can provide them.

Any advice or experience is highly appreciated-thank you so much in advance!

--------------------------------------------------------------------------------------------------------------------------------------------

(1) ClearPass_AccessTracker_SignatureVerificationFailed.png

(2) ClearPass_PacketCapture_SignatureVerificationFailed.png

This is a very specific question, and the ClearPass IdP feature set is quite basic. It should not be considered a full-fledged SAML IdP, nor SP, but works in many cases.

I have not seen claims on xml-c14n11 support. Roadmap cannot be discussed in a public forum.

You may be lucky that someone has implemented the same, but my guess is that you can better work with TAC to troubleshoot the error that you see, and with your local HPE Aruba Networking sales team to answer the support/roadmap questions.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 05, 2025 09:30 PM
From: hg
Subject: [ClearPass/CPPM][SAML] XML Canonicalization Method (**xml-c14n11**) Support for SAML Request? Signature Verification Failed.

Hi all,

I'm trying to integrate Aruba ClearPass Policy Manager (CPPM) v6.11.x as a SAML IdP for a third-party SP (Cloudbrink).
Everything works fine when using Microsoft Entra ID as the IdP for the same SP, but with ClearPass, I'm running into signature validation issues.

Background & Test Environment

• SP Name: Cloudbrink

• ClearPass Version: 6.11.x

• SP SAML Metadata: Requests canonicalization method http://www.w3.org/2006/12/xml-c14n11 (XML Canonicalization v1.1)

• IdP Metadata & Certificates: Imported correctly, standard formats

• With Entra ID as IdP: SAML SSO works as expected

Issue

• When the SP (Cloudbrink) sends a SAML AuthnRequest with xml-c14n11 canonicalization, ClearPass fails at the signature verification step.

• The Access Tracker first shows:
  Signature is trusted
  ...and then immediately:
  Signature verification failed

• As a result, application login fails.

• (See attached screenshots for details.)

What I Have Tried

• Double-checked SAML metadata/certificates on both sides

• Compared SAML flows between Entra ID and ClearPass (only fails on ClearPass with c14n11)

• Reviewed official Aruba documentation and forums, but could not find a definitive answer about c14n11 support

Screenshots Provided

1. Access Tracker Screenshot:

   • Shows that certificate validation passes with "Signature is trusted," but then signature verification fails, resulting in login failure.

2. Packet Capture Screenshot:

   • Even when Access Tracker shows "application login failure," the underlying error is still Signature verification failed.

Both screenshots are attached to clarify the sequence of validation and error points in the SAML authentication process.

My Questions

1. Does ClearPass (CPPM) support SAML XML canonicalization method v1.1 (xml-c14n11)?

2. Is only Exclusive Canonicalization (xml-exc-c14n#) supported?

3. Has anyone successfully integrated ClearPass IdP with an SP that requires xml-c14n11?

4. Any known workaround, settings, or roadmap for xml-c14n11 support in ClearPass?

Sample SAML Request Snippet

<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
    <!-- ... -->
</ds:SignedInfo>

Additional Notes

• Both SP and IdP metadata exchange and trust chain seem correct.

• If additional logs or SAML traces are needed, I can provide them.

Any advice or experience is highly appreciated-thank you so much in advance!

--------------------------------------------------------------------------------------------------------------------------------------------

(1) ClearPass_AccessTracker_SignatureVerificationFailed.png

(2) ClearPass_PacketCapture_SignatureVerificationFailed.png

-------------------------------------------