Troubleshooting SAML related issues on AVI when VS is configured as a Service Provider.
search cancel

Troubleshooting SAML related issues on AVI when VS is configured as a Service Provider.

book

Article ID: 400495

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • This article explains various issues that one may encounter with SAML-based authentication on AVI VS.
  • The AVI Virtual Service (VS)/Controller typically functions as a Service Provider (SP) and must be configured with an Identity Provider (IdP), such as Okta, Azure, JumpCloud, or others.
  • For the purpose of this article, we have used JumpCloud as the IdP. Please refer to the document below for SAML settings on AVI

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/client-authentication/saml/saml-configuration-on-nsx-advanced-load-balancer.html

Resolution

1.Virtual Service (VS) Down with Error: "Fault in SE[se-xxx] Reason ['Error in loading the metadata.']":

  • When configuring SAML-based authentication on the AVI Load Balancer, the Virtual Service (VS) may fail to come up and report the following fault

  • This error typically occurs when there is a typo or formatting error in the SAML metadata file. AVI fails to parse the file and as a result, the Service Engine (SE) cannot load the configuration, causing the VS to go down

Solution:

  • Validate the metadata file before uploading. Ensure there are no typos, encoding issues, or extra/invalid characters in the file.
  • Metadata file can be downloaded directly from the IDP server and uploaded to AVI or can be downloaded from the metadata URL and then uploaded manually onto AVI.
  • Check for well-formed XML structure. A valid metadata file should start with something like:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="SAML_app">

<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate>MIIFbjCCA1agAwIBAgIUQxyl1FahGfJaUxtxYJ6pdbIKQdcwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNPMRAwDgYDVQQHEwdCb3VsZGVyMQwwCgYDVQQKEwNBVkkxGTAXBgNVBAsTEEp1bXBDbG91ZFNBTUxJZFAxGjAYBgNVBAMTEUp1bXBDbG91ZFNBTUxVc2VyMB4XDTI1MDYwOTEyNDg0MloXDTMwMDYwOTEyNDg0MlowcTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNPMRAwDgYDVQQHEwdCb3VsZGVyMQwwCgYDVQQKEwNBVkkxGTAXBgNVBAsTEEp1bXBDbG91ZFNBTUxJZFAxGjAYBgNVBAMTEUp1bXBDbG91ZFNBTUxVc2VyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu+fnOPsnDdXwOs+eI/YD+ihlOmltqtMYTc/oP0L9wJ9z3h4/uiuHUu0gUr6RaxnxSGO7/zCCEkNVons08bQfAN3pVMevlEhNTk3TIFRZtPoYU19Psywv4gMMnVqil/PdNc45DNKa0LdmWGgHiWG6HMNU+TuMMdVLWOAn5iPJSjOBeyNgkSknZvEIXsgYH3nstmoBKpREJ887SXQGgiLGtKocNUle0EOSE+jAzuFh77fL65W88wAxBz251n2gYGbgTSal2GHHFOonsJxAtsSc2XWh6iQlD2K77QeDYHRDbFiIahbMZVkH+LobJ97NACQ41anKj93h3gCjiXOOQo20NGfEE11IJ5HBiL3uojREnKOqh7mtWnW97yKkpoPvIrdkDC1sqz/0wmtUFN9YliKKRQWbHwdPiZZjeGxcurRO2cfmKutu/w08Od/9UnPJxqnoWrfoHBvmLk9Smbr5GDJKr8j9yS4ouwktmB3Vha5n7lX3CTCFJs2WBodyqNDTVHnKzSS8vR5f3UBvmARtK436AWIuWECJ3qBOC65G1NpehGRn05RkpS0tpTQXUIItXvEZ0PblNK96bZSitVfmZaFHbUM6yWLAnwYsbwuZoOk6uw9oA+IQRaCet7qicODmFysT2yOmpo2fC/BcruJ96ygAjC2HITh7nU6p51YJOs+wtfUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAucJDyO/yYHNfxfKzK+jvRU/18a/OlYwyjJoH8u/bSrBBXO76grw4kqxjURtrWwltHfeIVe8ugfFWF9SSqlHo290w6Yb7zX+GVFEneuAGqdCbu3Wwg13mc04gZJm4pr5lRuolDjrMVZ14QVgChV1odHq2fg29oYAxRlpe3HB13anEWph7oHGoMPTxyjqV6gakpL//sn/uVFiQZBZnoefEqlIN8tkWIVGpiVPJXW41WqzwekVcQXhRSdgO7rnzi2kk0gKYjxZg+EC2uyFIZ9TyNw3y0DM+Quj3y0rw+CHiz+sD6aQ9SxGRN9Pf4NUqmXy0m3yAJkXwmM8gkewDjO6rbB/GINR9ZhqyJHgqG1THrBub86mH6JQNwvHEDUtJtKofWopargOPx74EV+OCp6ziTMT6XjylBET1cCPuyoD6EP080tOLdgY/UzXQ3TdXorp8pAQ3o7P1zmVcuSSyMZm3GZ4I3BAc+fD6ibdHzzgJzfnMa3kGQTrd3mY55PBZZ+xjAKrX4NdF1FrG1Jg5/+Mj1Ydf1cJGB0eR+cPl3AIq8h3xAyLWTlHxx9FAk4P6PCZ5cCMxYgB7WavqszqpoIGCY9t5o6dbSbPg0s94t9oNIkJrmUTkTFKgiu1A4t7d0YzJeOqj2l12dq5aBUVtDK+OPPpuPic9WwDDkTESlUWafWA=</ds:X509Certificate>

...

</ds:X509Data>

...

</ds:KeyInfo>

...

</md:KeyDescriptor>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified</md:NameIDFormat>

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.jumpcloud.com/saml2/sp-application"/>

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.jumpcloud.com/saml2/sp-application"/>

...

</md:IDPSSODescriptor>

...

</md:EntityDescriptor>

  • After Updating the Metadata file, disable and enable the VS to make it UP

 

2.HTTP 401 Response from Server While Accessing Application:

  • Users may encounter an HTTP 401 Unauthorized response when attempting to access an application protected by SAML authentication through AVI Load Balancer.

  • This issue is typically caused by a mismatch between the Entity ID or SSO (Single Sign-On) URL configured on the Identity Provider (IdP) and the Service Provider (SP), which in this case is the AVI Load Balancer.
  • To confirm, check the VS logs for error messages indicating authentication failures or invalid SAML assertions.

  • The Entity ID and SSO URL (ACS URL) must exactly match on both AVI (SP) and the IdP configuration. Even minor differences such as a missing or extra trailing slash (/) can cause authentication to fail.

AVI config:

IDP Config:

Solution:

  • As we can see from the above screenshots, trailing  slash '/'  is missing on the IDP configuration. After changing the ACS URL to "https://application.serviceprovider.lab/sso/acs/" on the IDP server, the issue got fixed.

 

3.Blank Page or timeout error while accessing the application:

  • Users may experience a blank page or timeout error when attempting to access an application configured with SAML authentication through the AVI Load Balancer.
  • Below error can be noticed in the VS logs for such a scenario

  • AVI supports the following SAML binding methods:
    • HTTP-Redirect: For sending SAML authentication requests to the Identity Provider (IdP)
    • HTTP-POST: For receiving authentication responses from the IdP to AVI (Service Provider)
  • In this case, the IdP metadata file did not include the HTTP-Redirect binding, which caused AVI to fail during the redirection phase. As a result, the browser stalled, leading to a blank page or timeout.

Non-Working Metadata:

</md:KeyDescriptor>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified</md:NameIDFormat>

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.jumpcloud.com/saml2/sp-application"/>

...

</md:IDPSSODescriptor>

...

</md:EntityDescriptor>

Solution:

  • Validate the IdP metadata file and Ensure HTTP-Redirect bindings is included under <md:SingleSignOnService>

 Corrected: Working Metadata:

</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.jumpcloud.com/saml2/sp-application"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.jumpcloud.com/saml2/sp-application"/>
...
</md:IDPSSODescriptor>
...
</md:EntityDescriptor>

 

Steps to capture and analyze SAML Flow:

  • To troubleshoot SAML authentication issues, we can also use plugins such as SAML Tracer, you need to analyze the actual SAML request/response flow between AVI (as the Service Provider, SP) and the Identity Provider (IdP).
  • SAML Tracer is a browser plugin that lets you inspect SAML requests and responses as they pass through the browser

1. Install SAML Tracer:

2. Clear Cookies and Cache:

    • Ensures a fresh login attempt and captures clean traces

3. Open SAML Tracer and Start Recording:

    • Launch the plugin and make sure recording is enabled

4. Launching the application:

    • Entering the Application URL will launch the application. After entering the SSO credentials, wait for the application to be successfully accessed or for an error message to appear before ending the trace.
    • SAML traces can also be exported and imported which will be beneficial for a TSE to debug this issue when a Support request is submitted with us

 

Analyzing SAML packet flow using SAML tracer:

  • The functioning flow of SAML combined with AVI for an SP-Initiated flow is shown here. To determine which point the auth is failing, one can compare this working flow with any non-functional cases. 
    • IdP(JUMPCLOUD): https://sso.jumpcloud.com/saml2/sp-application
    • SP/VS(ACS URL): https://application.serviceprovider.lab/sso/acs/
    • Entity id: SAML_app
  • The client requests the application URL: https://application.serviceprovider.lab, and the request reaches the AVI Virtual Service (VS).
  • Based on the metadata file uploaded to AVI, AVI generates a SAML authentication request and redirects the client to the Identity Provider (IDP) via HTTP-REDIRECT. AVI also sets the "AVI_TOKEN" cookie to track the communication.

  • The client forwards the SAML authentication request to the IDP via an HTTP-GET request. The SAML request is encrypted, and it includes a hash value of the request, which is signed by the SP_Cert (the certificate uploaded at the VS level during SAML access policy configuration).

  • Some important parameters to note in the SAML authentication request are:

 

    • ID: A unique identifier used by AVI to track the SAML response from the client.
    • Destination: The IDP URL where the SAML authentication request is sent.
    • ProtocolBinding: The HTTP method used to receive authentication responses from the IDP to AVI. In this case, it is HTTP-POST.
    • Issuer: The Entity ID configured at the VS level. This parameter should match on both the SP and IDP sides.
  • The IDP validates the user internally using the configured authentication mechanism and responds with a SAML authentication response/assertion.
  • The client posts the SAML authentication response to the ACS URL: https://application.serviceprovider.lab/sso/acs/. The "AVI_TOKEN" cookie set by AVI during the initial SAML redirection is also included in the request.

  • Along with the digital signature, a successful SAML response includes the SAML Assertion ID, issuer details, authentication status, attributes, and other relevant information.
  • A successful SAML authentication response appears as shown below:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                 Destination="https://application.serviceprovider.lab/sso/acs/"
                 ID="VZLDZGBKAU324TEOFP9GJREFGSV59U7356YGDUDX"
                 InResponseTo="_39F1C7CB0FBC58704CA23F3AB1A8BB64"
                 IssueInstant="2025-06-17T08:00:28.203Z"
                 Version="2.0"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  >SAML_app</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#VZLDZGBKAU324TEOFP9GJREFGSV59U7356YGDUDX">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xsd"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>cZst1+ehrWD+v7163LVIMDlFfFU=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>lWkPVU9158cSFKj0iqFEI7a0xwrNus/bQL1qUUzbzuovjSexLm9hFIi6RvyKvq8ozjPF6bi37Sj6f/Kfgf8kb6/87LJtSvU3WyFTYGF5oIfY0doFcsDJ3akijjuEinHYNQdoUne43/sbg4UNRNTw9See2SdFwc929lNBD+snR4c9BzxJa0VSocx84+yqssX2pYhMFfebBTD6croYa9+8DPpo8kwSa7aHAVc6RP9Uo1js7L02n8/PUC9xDYGDcAEn5XVlN0NEHyJPFv5mHCWu2xbtKLUcsuP7WIG0cepmm7ywhHVYx5qdURggzlPWdQlXcfoC1tJJROYdqMcydhJBwKCrHQRlVZX3wI+8rUZplgeUjkYOVLhNTB7+NrSL84oORpv5UIGmeTIGs9VNDKlTFAHqaU+iswG8YrU6zPC59tV6Cok7+6zLO538jTH43u8dtSczCfpTEkOmzTy/+UjcgeUDkV5yr1iLh52TLI+8faNVtJfocPBkY6ZRcQsNUpsVbJDDeCfEpeOLHxwj+DIR/DQ8VunUSwRuNRoSWyFthPV65cLyIfzxSW9HCFGleeYyi5qoUdLpfdC4XASt4dSt/hNy6dY0XJQiiqup4Ohj1yaPoflMoGr+3FC6F3ysH33fFKn0nTYj+4HIg3u7rH1svV/w5vb+g8KjpoR7mdBZUzs=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFbjCCA1agAwIBAgIUQxyl1FahGfJaUxtxYJ6pdbIKQdcwDQYJKoZIhvcNAQELBQAwcTELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAkNPMRAwDgYDVQQHEwdCb3VsZGVyMQwwCgYDVQQKEwNBVkkxGTAX
BgNVBAsTEEp1bXBDbG91ZFNBTUxJZFAxGjAYBgNVBAMTEUp1bXBDbG91ZFNBTUxVc2VyMB4XDTI1
MDYwOTEyNDg0MloXDTMwMDYwOTEyNDg0MlowcTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNPMRAw
DgYDVQQHEwdCb3VsZGVyMQwwCgYDVQQKEwNBVkkxGTAXBgNVBAsTEEp1bXBDbG91ZFNBTUxJZFAx
GjAYBgNVBAMTEUp1bXBDbG91ZFNBTUxVc2VyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAu+fnOPsnDdXwOs+eI/YD+ihlOmltqtMYTc/oP0L9wJ9z3h4/uiuHUu0gUr6RaxnxSGO7/zCC
EkNVons08bQfAN3pVMevlEhNTk3TIFRZtPoYU19Psywv4gMMnVqil/PdNc45DNKa0LdmWGgHiWG6
HMNU+TuMMdVLWOAn5iPJSjOBeyNgkSknZvEIXsgYH3nstmoBKpREJ887SXQGgiLGtKocNUle0EOS
E+jAzuFh77fL65W88wAxBz251n2gYGbgTSal2GHHFOonsJxAtsSc2XWh6iQlD2K77QeDYHRDbFiI
ahbMZVkH+LobJ97NACQ41anKj93h3gCjiXOOQo20NGfEE11IJ5HBiL3uojREnKOqh7mtWnW97yKk
poPvIrdkDC1sqz/0wmtUFN9YliKKRQWbHwdPiZZjeGxcurRO2cfmKutu/w08Od/9UnPJxqnoWrfo
HBvmLk9Smbr5GDJKr8j9yS4ouwktmB3Vha5n7lX3CTCFJs2WBodyqNDTVHnKzSS8vR5f3UBvmARt
K436AWIuWECJ3qBOC65G1NpehGRn05RkpS0tpTQXUIItXvEZ0PblNK96bZSitVfmZaFHbUM6yWLA
nwYsbwuZoOk6uw9oA+IQRaCet7qicODmFysT2yOmpo2fC/BcruJ96ygAjC2HITh7nU6p51YJOs+w
tfUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAucJDyO/yYHNfxfKzK+jvRU/18a/OlYwyjJoH8u/b
SrBBXO76grw4kqxjURtrWwltHfeIVe8ugfFWF9SSqlHo290w6Yb7zX+GVFEneuAGqdCbu3Wwg13m
c04gZJm4pr5lRuolDjrMVZ14QVgChV1odHq2fg29oYAxRlpe3HB13anEWph7oHGoMPTxyjqV6gak
pL//sn/uVFiQZBZnoefEqlIN8tkWIVGpiVPJXW41WqzwekVcQXhRSdgO7rnzi2kk0gKYjxZg+EC2
uyFIZ9TyNw3y0DM+Quj3y0rw+CHiz+sD6aQ9SxGRN9Pf4NUqmXy0m3yAJkXwmM8gkewDjO6rbB/G
INR9ZhqyJHgqG1THrBub86mH6JQNwvHEDUtJtKofWopargOPx74EV+OCp6ziTMT6XjylBET1cCPu
yoD6EP080tOLdgY/UzXQ3TdXorp8pAQ3o7P1zmVcuSSyMZm3GZ4I3BAc+fD6ibdHzzgJzfnMa3kG
QTrd3mY55PBZZ+xjAKrX4NdF1FrG1Jg5/+Mj1Ydf1cJGB0eR+cPl3AIq8h3xAyLWTlHxx9FAk4P6
PCZ5cCMxYgB7WavqszqpoIGCY9t5o6dbSbPg0s94t9oNIkJrmUTkTFKgiu1A4t7d0YzJeOqj2l12
dq5aBUVtDK+OPPpuPic9WwDDkTESlUWafWA=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="RG4MRR0WAINAV9QEB5L0CFUUTAFVGD984IKEJRBL"
                     IssueInstant="2025-06-17T08:00:28.203Z"
                     Version="2.0"
                     >
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SAML_app</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#RG4MRR0WAINAV9QEB5L0CFUUTAFVGD984IKEJRBL">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    PrefixList="xsd"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>167ieh7DnltoWX7y1RO2sUHwGmQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>oG3tJIo3OYGJZstpnwnQceh8xAuIxw1YKv41c6KIZCY3dOx1wfVv+3porqv/WKfC5ErQUsQG/NANl8L0Q7T/ceaGufXogS3p1lnfvWUYeM3kLlooR+KJhNtuaaWz305sPXsvMx23BO21ufZudqCuJakVDVjQBpqIBMhFkfddKuOAJbLLiAfUWE/cLo7JXa7QsdNjQYXotgSseFPmiFp50copUYxGaLr7rGIFuyCLNw+k9x7I4LMnCzWLY1XEefloJRfKSUcMZKPbt93N4vyRRu8CvCPSLF7Q23U5yp8FUxWCVV4f6V8oYt/EZLE185miLi3NiifX00ixLCfNIDpaW9RALiYH55ywsVcLUoLW3UU2ISdwUjn2J7oTOpRUqdmMpl6yiybDzcIh2ATrNXd0J31kYU1demj/+7b/dmCv39UiWwiynbGn3UtgkLB5LCV0CaNyAEiCWCwOCjzFCCCXsRr+4/qEEEGVQ4BclzujmDD3Kl+cW96TIWsSqwP+BTAV4XnkhRpNGABYdiQCMviCHhL6mFNmzDxZZK4TGBriyUZViJnuzJJ1RzCtuc1A8IqxJz2iSDTQbcawC+e89jN1SX4fd1MijThwMj8QoeoLDtZsvkd3QgKeaEe6cisq3yi1/na75PgBayGAdM2Bn2vI/lpgbPKd5CKtIDHPopPCD+k=</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIFbjCCA1agAwIBAgIUQxyl1FahGfJaUxtxYJ6pdbIKQdcwDQYJKoZIhvcNAQELBQAwcTELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAkNPMRAwDgYDVQQHEwdCb3VsZGVyMQwwCgYDVQQKEwNBVkkxGTAX
BgNVBAsTEEp1bXBDbG91ZFNBTUxJZFAxGjAYBgNVBAMTEUp1bXBDbG91ZFNBTUxVc2VyMB4XDTI1
MDYwOTEyNDg0MloXDTMwMDYwOTEyNDg0MlowcTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNPMRAw
DgYDVQQHEwdCb3VsZGVyMQwwCgYDVQQKEwNBVkkxGTAXBgNVBAsTEEp1bXBDbG91ZFNBTUxJZFAx
GjAYBgNVBAMTEUp1bXBDbG91ZFNBTUxVc2VyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAu+fnOPsnDdXwOs+eI/YD+ihlOmltqtMYTc/oP0L9wJ9z3h4/uiuHUu0gUr6RaxnxSGO7/zCC
EkNVons08bQfAN3pVMevlEhNTk3TIFRZtPoYU19Psywv4gMMnVqil/PdNc45DNKa0LdmWGgHiWG6
HMNU+TuMMdVLWOAn5iPJSjOBeyNgkSknZvEIXsgYH3nstmoBKpREJ887SXQGgiLGtKocNUle0EOS
E+jAzuFh77fL65W88wAxBz251n2gYGbgTSal2GHHFOonsJxAtsSc2XWh6iQlD2K77QeDYHRDbFiI
ahbMZVkH+LobJ97NACQ41anKj93h3gCjiXOOQo20NGfEE11IJ5HBiL3uojREnKOqh7mtWnW97yKk
poPvIrdkDC1sqz/0wmtUFN9YliKKRQWbHwdPiZZjeGxcurRO2cfmKutu/w08Od/9UnPJxqnoWrfo
HBvmLk9Smbr5GDJKr8j9yS4ouwktmB3Vha5n7lX3CTCFJs2WBodyqNDTVHnKzSS8vR5f3UBvmARt
K436AWIuWECJ3qBOC65G1NpehGRn05RkpS0tpTQXUIItXvEZ0PblNK96bZSitVfmZaFHbUM6yWLA
nwYsbwuZoOk6uw9oA+IQRaCet7qicODmFysT2yOmpo2fC/BcruJ96ygAjC2HITh7nU6p51YJOs+w
tfUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAucJDyO/yYHNfxfKzK+jvRU/18a/OlYwyjJoH8u/b
SrBBXO76grw4kqxjURtrWwltHfeIVe8ugfFWF9SSqlHo290w6Yb7zX+GVFEneuAGqdCbu3Wwg13m
c04gZJm4pr5lRuolDjrMVZ14QVgChV1odHq2fg29oYAxRlpe3HB13anEWph7oHGoMPTxyjqV6gak
pL//sn/uVFiQZBZnoefEqlIN8tkWIVGpiVPJXW41WqzwekVcQXhRSdgO7rnzi2kk0gKYjxZg+EC2
uyFIZ9TyNw3y0DM+Quj3y0rw+CHiz+sD6aQ9SxGRN9Pf4NUqmXy0m3yAJkXwmM8gkewDjO6rbB/G
INR9ZhqyJHgqG1THrBub86mH6JQNwvHEDUtJtKofWopargOPx74EV+OCp6ziTMT6XjylBET1cCPu
yoD6EP080tOLdgY/UzXQ3TdXorp8pAQ3o7P1zmVcuSSyMZm3GZ4I3BAc+fD6ibdHzzgJzfnMa3kG
QTrd3mY55PBZZ+xjAKrX4NdF1FrG1Jg5/+Mj1Ydf1cJGB0eR+cPl3AIq8h3xAyLWTlHxx9FAk4P6
PCZ5cCMxYgB7WavqszqpoIGCY9t5o6dbSbPg0s94t9oNIkJrmUTkTFKgiu1A4t7d0YzJeOqj2l12
dq5aBUVtDK+OPPpuPic9WwDDkTESlUWafWA=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified">[email protected]</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_39F1C7CB0FBC58704CA23F3AB1A8BB64"
                                               NotOnOrAfter="2025-06-17T08:05:28.203Z"
                                               Recipient="https://application.serviceprovider.lab/sso/acs/"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2025-06-17T07:55:28.203Z"
                          NotOnOrAfter="2025-06-17T08:05:28.203Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>AviController-controller.serviceprovider.lab</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="email"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >[email protected]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="Name"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >User1</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2025-06-17T08:00:28.203Z"
                              SessionIndex="c2c34b0d-622d-47c2-b0b6-1379a67ae84c"
                              >
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

  • AVI receives the response, verifies the user's authentication status, validates the assertion's authenticity (signature validation), and checks any configured authentication-mapping rules based on the retrieved attributes. It then redirects the user to the original application URL.
  • AVI also adds a custom cookie, configured at the VS level, to indicate successful authorization for the application.

  • The request is sent back to the VS with the valid cookie, and the user is presented with the application page.

Logs to be collected for SAML related issues on AVI VS:

  • Controller debug logs(tech-support-logs)
  • VS tech support
  • SE tech support
  • Export VS logs covering the timeframe of the issue(log-navigation)
  • Export SAML tracer output collected while replicating the issue

 

Powered by Wolken Software