Support Article
Active Directory Federation Services for SSO fails
SA-39242
Summary
User is using SAML SSO using Microsoft ADFS 3.0. But while accessing SSO URL, an error is displayed on the screen.
Unable to process the SAML WebSSO request : The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria
Error Messages
Below is the exception found in PegaRULES log
2017-05-01 18:16:59,232 [p-apr-8080-exec-1532] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) ERROR ip-|Rest|WebSSO|SAML|AssertionConsumerService|AC3C0ED73EF41648B4B9CB558D8BD82A4 - Error while executing the Assertion Consumer Service activity : The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria
2017-05-01 18:18:19,196 [p-apr-8080-exec-1552] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) ERROR ip-|Rest|WebSSO|SAML|AssertionConsumerService|AC3C0ED73EF41648B4B9CB558D8BD82A4 - Error while executing the Assertion Consumer Service activity : The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria
Steps to Reproduce
1. Configure Authentication service including IDP metadata.
2. Add Pega as relying party in Active Directory Federation Services (ADFS 3.0).
3. Setup the claim rule in ADFS.
4.Try the SSO using the URL .
Root Cause
A defect in Pegasystems’ code or rules. Pega is trying to read the attributes without decrypting the SAML assertion.
Also the user is using 'NameID' as attribute in ADFS to match with 'OperatorID' in Application.
Resolution
Apply Hfix-34802 and use 'Name' instead of 'NameID' as attribute to match 'OperatorID' in application.
Published October 31, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.