Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Assertion does not contain unique subject provider identifier

SA-44809

Summary



User has a SAML configuration with IDP initiated calls.

However the user is getting exception and has encryption enabled. Error occurs on configuing SAML with identity provider (IdP) initiated calls and enabling encryption.

Error Messages



Unable to process the SAML WebSSO request :

Unable to process SAML2 Authentication response : Caught

Exception while validating SAML2 Authentication response for SSO profile :

Assertion does not contain unique subject provider identifier https:/<host>:<port>/prweb/sp/1234567890 in the audience restriction conditions.

Note: Prior to this error user was getting "The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria" which was resolved through the HFix-35622.


Steps to Reproduce

  1. Click a link from the application. A request is sent to the middle layer which makes a request to SAML token provider (STS). The Token provider (STS) validates the request and issues a token for the operator. The Token is encrypted with Pega application public key & base64 encoded. The middle layer posts the SAML token received to Pega SSO Servlet URL (https://hostname:portnumber/prweb/sso) through HTTP POST.
  2. Use the application to decode and decrypt the SAML response and launch the User portal based on their level of access.


Root Cause



A defect or configuration issue in the operating environment.

The IDP response was missing the AudienceRestriction and Audience elements in the Conditions element.

Resolution



Perform the following local-change in the Conditions elements:

Update the IDP configurations to include AudienceRestriction and Audience elements as below.

Modify the below sample Conditions element in the response.

<saml:Conditions NotBefore="2017-09-20T13:58:19Z" NotOnOrAfter="2017-09- 20T14:00:49Z"/>

to

<saml:Conditions NotBefore="2017-09-20T13:58:19Z" NotOnOrAfter="2017-09-20T14:00:49Z"/>

<saml:AudienceRestriction>
<saml:Audience>https://pegaserver.com:<port>/prweb/sp/1234567890</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>

Tags:

Pega Platform Pega Platform 7.2.2 Data Integration

Published March 22, 2018 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us