SAML SSO login fails with “Invalid Credentials” after upgrading the AVI Controller from version 22.1.x to 30.x or later.
search cancel

SAML SSO login fails with “Invalid Credentials” after upgrading the AVI Controller from version 22.1.x to 30.x or later.

book

Article ID: 426600

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

After upgrading the AVI Controller from version 22.1.x to 30.x or later, SAML SSO login attempts fail with an “Invalid Credentials” error.




From the /var/lib/avi/log/apiserver.INFO logs, we can see that the SSO authentication failed due to an Invalid Credentials error, as the Recipient value was incorrect.

 

Environment

All

Cause

Starting with version 30.1.x, stricter recipient validation as defined by SAML 2.0 is enforced. This validation is intentionally not bypassed, including during upgrades, to maintain security compliance.

Resolution

Message Processing Rules

Regardless of the SAML binding used, the service provider MUST do the following:

  • Verify any signatures present on the assertion(s) or the response
  • Verify that the Recipient attribute in any bearer matches the assertion consumer service URL to which the or artifact was delivered
Powered by Wolken Software