问题
I'm getting below error message when I'm trying login via SSO
sspmod_saml_Error: Responder/AuthnFailed: Transaction was cancelled
What the reason for this error? SAML configuration or authentication? please advice
回答1:
Question 1: I'm getting below error message when I'm trying login via SSO. What the reason for this error? SAML configuration or authentication?
Answer:
The error "Responder/AuthnFailed" indicates SAML authentication failure.
SAML configuration error is one of root causes of SAML authentication failure.
Six (6) typical root causes of SAML authentication failure are
- SAML Response/Asserion/Token must be redeemed within 5 minutes of Issuance provided by your SAML IdP. In other words, SAML SP should synchronize with SAML IdP. In other words, SAML SP server time should be almost the same as SAML IdP server. Check resolution provided by another StackOverflow question ExpiredTokenException when I SAML SSO login AWS from my local IdP.
- SAML IdP metadata provides the wrong public certificate/key for verifying the signed assertion to SAML SP. Check resolution provided by another StackOverflow question ExpiredTokenException when I SAML SSO login AWS from my local IdP.
- SAML IdP configuration error related to three (3) different public certificates. How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides a Shibboleth SAML IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" which has been validated with successful SSO for numerous enterprise applications. This Shibboleth SAML IdP metadata consists of three signing certificates (sign Responses, sign Assertions, and encrypt Assertions), and relying party configuration "shibboleth-idp-dockerized/ext-conf/conf/relying-party.xml" allows system administrators to determine whether SAML IdP needs to sign Responses, sign Assertions, or encrypt Assertions.
- Name ID format carried by SAML response/SAML assertion (sent by SAML IdP) does NOT meet the requirements of SAML SP.
- User attributes carried by SAML response/SAML assertion (sent by SAML IdP) does NOT meet the requirements of SAML SP. For example, Amazon AWS SAML SP requires their own particular user attributes (i.e., Role and RoleSessionName) sent by SAML IdP.
- SAML response/SAML assertion (sent by SAML IdP) delivers the wrong EntityID of SAML SP.
来源:https://stackoverflow.com/questions/56896991/saml-gives-unhadeled-exception