Exception while validating SAML2 Authentication response
You use SAML mechanism to provide a Single-Sign- On (“SSO”) facility for Pega 7.1.7 system. IdP server is setup to require digital signatures.
|Require digitally signed AuthN requests||true|
|Always sign the SAML Assertion||true|
On Pega 7.1.7 the checkbox labelled ‘Disable Signature’ is checked on SAML ‘Auth Rule’.
When you perform an SSO from Pega 7.1.7, an error is displayed in the browser:
Unable to process the SAML WebSSO request : Unable to process SAML2 Authentication response : Caught Exception while validating SAML2 Authentication response protocol : Received SAML token with invalid status code : urn:oasis:names:tc:SAML:2.0:status:Requester
The SAML TRACER tool provides the complete version of the error message:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
Steps to Reproduce
1. Configure IdP server to require digital signatures
2. Configure Pega 7.1.7’s Auth Rule with the option ‘Disable Signature’ switched ON
3. Attempt an SSO operation
The root cause of this problem is defect/misconfiguration in the operating environment. If the IdP requires a Digital Signature – you are required to switch OFF the option labelled ‘Disable Signature’ - and provide the required digital certificate to both Pega 7.1.7 and the IdP server.
If your IdP server requires digital signatures - It is necessary to configure Pega 7.1.7’s Auth Rule such that is is able to provide the required Digital Signatures. This means you must create or obtain a DSA (or RSA) KeyPair (that you have the passwords for the Private Key for) – this keypair (contained in a JKS keystore) must be uploaded to Pega 7.1.7. It is then necessary to provide the certificate ( the Public Key portion of the keypair) to the IdP server.
Here are the overall steps (assuming you do not already have a keypair available).
1. Create your keypair – using standard Java Tools – or a graphical third-party tool such as ‘KeyStore Explorer’.
2. Upload the keystore which contains your keypair to Pega 7.1.7 (Create a ‘keystore’ rule – this will require you to know the ‘keystore password’).
3. On your Pega 7.1.7 ‘Auth’ Rule: ensure the ‘Disable Signature’ option is switched OFF.
4. Reference the keystore rule on the Auth Rule form and choose the correct-keypair from the drop-down. This will require you to know the ‘keypair password’ (note that the two passwords needed here are ‘keystore’ and ‘keypair).
5. Save the SAML Auth Rule and use the option ‘Download SP metadata’
6. Upload the metadata to your IdP server.
Here are the example screenshots illustrating the process – this happens to be using the graphical ‘Keystore Explorer 5.1’ tool - note only a test self-signed key is generated and used here.
Save the entire Keystore (which contains only a single keypair as it happens).
In you Pega 7.1.7 application, navigate to Create>Security>Keystore to create a Keystore and upload the saved file.
Once the 'SP' metadata XML file is saved above, upload it to the IdP server and retry the SSO procedure from Pega 7.1.7.
50% found this useful