Cannot Authenticate to WSS with SAML
search cancel

Cannot Authenticate to WSS with SAML


Article ID: 176474


Updated On:


Cloud Secure Web Gateway - Cloud SWG


  • Users configured to authenticate to WSS via SAML
  • All working fine for months but all users suddenly reported getting error pages instead of valid Web pages they were trying to access via WSS
  • SAML IDP server working fine with other SAML SPs, so not general issue with SAML IDP server


A number of different error messages may appear, all originating from the WSS error page. The main strings to look for are:

  • Account locked - you cannot login because your account is locked out
  • Access Denied - Authentication required
  • Configuration_error

Note: No browsing will be possible unless unauthenticated users are allowed through.


  • WSS with SAML authentication
  • Independent of SAML IDP server - can happen with ADFS, Okta, Ping, etc
  • Independent of surrogacy configuration - IP or Cookie



The recent WSS update shipped with a new SAML feature which allows an admin define whether or not the SAML AuthnRequests are signed or not. As this feature was enabled by default, the AuthnRequests generated by WSS SAML SP could not be processed on the SAML IDP server side unless it has access to the signing certificate. Since the IDP server was unchanged and no certificate imported to validate the signature, the IDP server would respond with a status of "Responder" and not include any assertion info about the user.


Disable the option to Sign Authentication Requests on the SAML Configutration tab as shown below:

Note that this option has been removed temporarely and will be included in future release.