Your request could not be processed because of a configuration error: "Failed to parse or create SAML document."
search cancel

Your request could not be processed because of a configuration error: "Failed to parse or create SAML document."

book

Article ID: 205156

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

After logging into your identity provider's login page, the browser sends the SAML response to the HTTPS POST URL configured on the proxy https://proxy:port/saml/realm/bcsamlpost and you receive the error:

Your request could not be processed because of a configuration error: "Failed to parse or create SAML document."

 

The following messages are shown in the Auth Debug log:

Note: To take the auth debug log, you can enable the debug masks under https://proxy:8082/Auth/debug_set_mask and view the log from https://proxy:8082/Auth/debug

9939.008 TT 1095B4BC2E0 End_auth 0 0 0 195988000 - http://domain.com/
9939.008 Realm_SAML: Unable to validate signature: 0x250215(2425365)                                    << not able to validate the signature
9939.007 SAML_Security_context_manager: Building new single-tenant context.
9939.007 Realm_SAML: IssueInstant is valid!
9939.007 Realm_SAML: Using "not after" time from assertion: 2020-12-02T15:34:25.342Z
9939.007 Realm_SAML: Using "not before" time from assertion: 2020-12-02T15:24:25.342Z
9939.007 <?xml version="1.0"?>

... <KeyInfo> element will be missing in the SAML response printed here ...

9939.007 </samlp:Response>
9939.007 9939.007 Realm_SAML: Received SAML AuthnResponse
9939.007 Processing SAML message: Is post: true, for proxy: false
9939.006 Not authenticated.
9939.006 User_auth::Authenticate
9939.006 TT 1095B4BC2E0 Start_auth 0 0 0 195988000 - https://proxy:port/saml/realm/bcsamlpost

 

Cause

SAML assertions contain a signature which is cryptographically signed by a signing certificate.

Most Identity Providers (IDPs) provide a copy of the signing certificate in the assertion's <KeyInfo> element by default.

The ProxySG expects to find the signing certificate in this element.

Resolution

In your IDP's settings, enable sending the signing certificate in the <KeyInfo> element. For example, the SAML assertion response should contain elements in the form:

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data
<ds:X509Certificate>MIIC5DCCAcygAwIBAgI ...removed... NIxj9GM65</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
Powered by Wolken Software