Announcement Announcement Module
Collapse
No announcement yet.
401 - Authentication Failed: Error validating SAML message Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • 401 - Authentication Failed: Error validating SAML message

    I'm having a recurring issue with SAML authentication failing. We've had this bug before but mysteriously it went away and only comes back after we update code and redeploy.

    I have tried the ntp sync, and also downloaded the latest jar for spring-security-saml2-core-1.0.0.RC2.jar.

    The error we are getting is very generic. And everything before that looks successful.

    In the browser: 401 - Authentication Failed: Error validating SAML message

    In the logs:


    Code:
    INFO  SAMLDefaultLogger - AuthNResponse;FAILURE;10.33.114.42org.opensaml.common.SAMLException: Error validating SAML response
            at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:246)
            at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
            at com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

  • #2
    Hi,

    Can you please enable message logging and post the whole assertion you're getting back from IDP?

    Thanks,
    Vladi

    Comment


    • #3
      Originally posted by vsch View Post
      Hi,

      Can you please enable message logging and post the whole assertion you're getting back from IDP?

      Thanks,
      Vladi
      Code:
      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://vidsrvp01p.corp.ini:443/Video/saml/SSO/alias/defaultAlias" ID="_2ec4efd8-17b3-4cc5-850c-d609271cf221" InResponseTo="a3hce2j5704id49144f0f43067gi52b" IssueInstant="2013-07-25T20:13:44Z" Version="2.0">
         <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">hasw01.initech.com</saml:Issuer>
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
               <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <Reference URI="#_2ec4efd8-17b3-4cc5-850c-d609271cf221">
                  <Transforms>
                     <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/>
                     </Transform>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <DigestValue>V0rgmfD2tEk56z4Jqpe1jEEr27k=</DigestValue>
               </Reference>
            </SignedInfo>
            <SignatureValue>cK7mRePti0DlkwLxoFNQjIoDX4CUCMBLNrLpwO34dU4jiwGkdojsnw+JE3eFB5dF8sTzWhOmdIXF/MecLSFR2CeHvyyN44vcHuRqDGiWXPfgTv2/8pDmgUP2ABDiShJ/oUTLuY6l+elQdNLvgh1aOJb+ToCxFWADjEODGXmBlOY=</SignatureValue>
            <KeyInfo>
               <X509Data>
                  <X509Certificate>MIIEzzCCA7egAwIBAgIKacqFuwAAAAABUDANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFlNlY3VyZUF1dGggQ29ycG9yYXRpb24xOzA5BgNVBAsTMihjKSAyMDEyIFNlY3VyZUF1dGggQ29ycCAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEmMCQGA1UEAxMdU2VjdXJlQXV0aCBJbnRlcm1lZGlhdGUgQ0EgMUEwHhcNMTIwMzI5MTg1ODQ3WhcNMjIwMzI5MTg1ODQ3WjCBjTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRIwEAYDVQQHEwlGcmVkZXJpY2sxGjAYBgNVBAoTEUxpZmUgVGVjaG5vbG9naWVzMR0wGwYDVQQLExRJbmZvcm1hdGlvbiBTZWN1cml0eTEcMBoGA1UEAxMTc2FodzAxLmxpZmV0/xZ1LuMdJGKTaEGmwnH+4jriNB84JZIKtIv5On+ZvpvHwHDR+5o815cyUtS9HXaAFztcgtxifiYFoHFfrUCAwEAAaOCAXcwggFzMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFNiSShI09gRoKn1vdDBYtg7pwj0lMB8GA1UdIwQYMBaAFMYEnZjwynY3zNFl1fyz+3UsuRYNMGMGA1UdHwRcMFowWKBWoFSGUmh0dHA6Ly94NTA5Lm11bHRpZmFjdG9ydHJ1c3QzLmNvbS9DZXJ0SW5mby9TZWN1cmVBdXRoJTIwSW50ZXJtZWRpYXRlJTIwQ0ElMjAxQS5jcmwwgZkGCCsGAQUFBwEBBIGMMIGJMIGGBggrBgEFBQcwAoZ6aHR0cDovL3g1MDkubXVsdGlmYWN0b3J0cnVzdDMuY29tL0NlcnRJbmZvL1NBSW50Q0EtMUEuYmFubmVyLm11bHRpZmFjdG9ydHJ1c3QzLmNvbV9TZWN1cmVBdXRoJTIwSW50ZXJtZWRpYXRlJTIwQ0ElMjAxQS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAKD6luD8/G9kCXZvvuplyMzg/b/mdNYqWNENn6wLPB59rsv3LIRYryXF3IJvQ2KgGugtkg+bFz7l/65bcXBOJfZmSKTtIEX9WfFmoJA6gUQARvzrz+X+yDLtJM1Z7PMpRQUDLE5vChnH/AnNsI1sSH52+26V053/K/Shb6lEYUA8h0AKrUEIaTlQRiCT8cdZQ/++RVLFn7wgQCiS7xPhB9Ytg5MqnZVUH8xI9UjXBWq+xkOaqvcFZIkOj8U3ODxv3JEZE14AMHWD3MeXpuL2rf8GCsfSlSPncLtHX9lkt0qFYz4njfqnrG9BRwfnploUGNSsGaFdD3B7c59aK5pA5P0=</X509Certificate>
               </X509Data>
            </KeyInfo>
         </Signature>
         <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
         </samlp:Status>
         <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_50d902df-d46a-4255-995a-c257d2acdeab" IssueInstant="2013-07-25T20:13:44Z" Version="2.0">
            <saml:Issuer>sahw01.initech.com</saml:Issuer>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
               <SignedInfo>
                  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                  <Reference URI="#_50d902df-d46a-4255-995a-c257d2acdeab">
                     <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                           <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>
                        </Transform>
                     </Transforms>
                     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                     <DigestValue>vnhAgGPuQ24O3b88ig/IX0zVT24=</DigestValue>
                  </Reference>
               </SignedInfo>
               <SignatureValue>CqLQpECGLVCXjS+z0r6R88woFbYsv0y8r1YBUMnpW+n8JWNupVCFA1HysQoVVEOtYDGyXZ4UHkH3WkKbmNgJDNDVtjLkdREgeUG9CoutnfpDBiI8sVWu/sBxBjPDzhtH48SUT+H7xOCnEM339lqT3gZh1gC3W5eTRqrqMz+c6tc=</SignatureValue>
               <KeyInfo>
                  <X509Data>
                     <X509Certificate>MIIEzzCCA7egAwIBAgIKacqFuwAAAAABUDANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFlNlY3VyZUF1dGggQ29ycG9yYXRpb24xOzA5BgNVBAsTMihjKSAyMDEyIFNlY3VyZUF1dGggQ29ycCAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEmMCQGA1UEAxMdU2VjdXJlQXV0aCBJbnRlcm1lZGlhdGUgQ0EgMUEwHhcNMTIwMzI5MTg1ODQ3WhcNMjIwMzI5MTg1ODQ3WjCBjTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRIwEAYDVQQHEwlGcmVkZXJpY2sxGjAYBgNVBAoTEUxpZmUgVGVjaG5vbG9naWVzMR0wGwYDVQQLExRJbmZvcm1hdGlvbiBTZWN1cml0eTEcMBoGA1UEAxMTc2FodzAxLmxpZmV0ZWNoLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0O/OH1gPd4vnLGjlXlGiwpQ9SAwHTPYi3gN6F4JKaB3p16fw7NTkEM9dCcJR652QevO3FgiEqRfpceHT2QWAWf6Ml/xZ1LuMdJGKTaEGmwnH+4jriNB84JZIKtIv5On+ZvpvHwHDR+5o815cyUtS9HXaAFztcgtxifiYFoHFfrUCAwEAAaOCAXcwggFzMA4GA1UdDwEB/wQEAwIEMGA1UdHwRcMFowWKBWoFSGUmh0dHA6Ly94NTA5Lm11bHRpZmFjdG9ydHJ1c3QzLmNvbS9DZXJ0SW5mby9TZWN1cmVBdXRoJTIwSW50ZXJtZWRpYXRlJTIwQ0ElMjAxQS5jcmwwgZkGCCsGAQUFBwEBBIGMMIGJMIGGBggrBgEFBQcwAoZ6aHR0cDovL3g1MDkubXVsdGlmYWN0b3J0cnVzdDMuY29tL0NlcnRJbmZvL1NBSW50Q0EtMUEuYmFubmVyLm11bHRpZmFjdG9ydHJ1c3QzLmNvbV9TZWN1cmVBdXRoJTIwSW50ZXJtZWRpYXRlJTIwQ0ElMjAxQS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAKD6luD8/G9kCXZvvuplyMzg/b/mdNYqWNENn6wLPB59rsv3LIRYryXF3IJvQ2KgGugtkg+bFz7l/65bcXBOJfZmSKTtIEX9WfFmoJA6gUQARvzrz+X+yDLtJM1Z7PMpRQUDLE5vChnH/AnNsI1sSH52+26V053/K/Shb6lEYUA8h0AKrUEIaTlQRiCT8cdZQ/++RVLFn7wgQCiS7xPhB9Ytg5MqnZVUH8xI9UjXBWq+xkOaqvcFZIkOj8U3ODxv3JEZE14AMHWD3MeXpuL2rf8GCsfSlSPncLtHX9lkt0qFYz4njfqnrG9BRwfnploUGNSsGaFdD3B7c59aK5pA5P0=</X509Certificate>
                  </X509Data>
               </KeyInfo>
            </Signature>
            <saml:Subject>
               <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">avant</saml:NameID>
               <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                  <saml:SubjectConfirmationData InResponseTo="a3hce2j5704id49144f0f43067gi52b" NotOnOrAfter="2013-07-25T21:13:44Z" Recipient="https://vidsrvp01p.corp.ini:443/Video/saml/SSO/alias/defaultAlias"/>
               </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions NotBefore="2013-07-25T20:13:44Z" NotOnOrAfter="2013-07-25T21:13:44Z">
               <saml:AudienceRestriction>
                  <saml:Audience>https://video.corp.ini:443/Video/saml/metadata/alias/defaultAlias</saml:Audience>
               </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AuthnStatement AuthnInstant="2013-07-25T20:13:44Z" SessionIndex="a3hce2j5704id49144f0f43067gi52b">
               <saml:AuthnContext>
                  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
               </saml:AuthnContext>
            </saml:AuthnStatement>
         </saml:Assertion>
      </samlp:Response>

      Comment


      • #4
        The validation fails on checking of the assertion, but I can't really spot the reason yet. The next thing to do is to enable debug logging for package org.springframework.security.saml.websso and try again. The log will contain detailed information about why it can't perform the validation which should get us further.

        Vladi

        Comment


        • #5
          Hi guys,
          any update regarding this topic?
          I have the same problem with checking of the assertions

          Comment


          • #6
            Hi, please enable debug logging, retry the SSO and post the result. It should contain reason for the failure.

            Comment


            • #7
              I added file (log.txt) with SSO work results
              Attachment
              Attached Files

              Comment


              • #8
                The exception in the logs states: InResponseToField doesn't correspond to sent message.

                This problem typically occurs when the request is sent from a different scheme or URL than where the response is received. E.g. request is sent from http://host/app/saml/, but the response comes to https://host/app/saml/, or request is sent from http://localhost/app/saml/, but the response comes to http://host/app/saml/).

                You can find more details in this thread.

                Comment

                Working...
                X