search cancel

"configuration_error" returned instead of IDP login page when SAML authentication enabled on WSS

book

Article ID: 242943

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users accessing internet sites via WSS using the WSS Agent

Users authenticate using SAML protocol and all works fine

SAML Identity Provider administrator wants signed AuthnRequests for additional security as WSS uses the POST/redirect bindings 

When the SAML IDP server is set up to require Signed AuthnRequests on the IDP server, users get a WSS 'configuration_error' returned and not the expected IDP login page

SAML IDP server responds with a 'Responder' status as it expects the signed AuthnRequest

Cause

WSS did not support the signing of SAML AuthnRequests until May 27 '22 Portal update

Environment

SAML Authentication

Any IDP server supporting Signed Authentication Requests

Resolution

Two things are needed to accomplish this:

 

1. enable the signing of SAML Authentication request as highlighted below

2. Export the WSS metadata and import it into the SAML IDP server for the WSS SAML SP. 

Additional Information

Portal only providing this option since May 27 2022.

Attachments