Support Article

SAML: Error after installing HFix-27786

SA-34663

Summary



After installing HFix-27786 the following error is occurring every time, a user tries to do a Service Provider (SP) initiated login request:

Error while executing the Assertion Consumer Service activity : The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria.

This is coming from Step 9 of the Data-Admin-Security-SSO-SAML.pyAssertionConsumerServiceActivity in the patch version Pega-IntegrationEngine:07-10-18 .

There is new code calling a new method PRSAMLv2Utils.getInResponseToFromSamlResponse used for determining if request is SP or IDP initiated.

The exception occurs within PRSAMLv2Utils.getInResponseToFromSamlRespons because "foundValidSubject" is not set to true when inspecting the assertions subject confirmation even though assertion contains a Subject that has a method value of "urn:oasis:names:tc:SAML:2.0:cm:bearer".


Error Messages



Error while executing the Assertion Consumer Service activity : The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria.

SAML response. The assertion contains a Subject that has a method value of "urn:oasis:names:tc:SAML:2.0:cm:bearer".


Steps to Reproduce



The issue is only reproducible when using encrypted assertions.

Root Cause



When using encrypted assertions Step 9 of the Assertion Consumer Service Activity cannot validate if the Authentication Statement matches the subject confirmation as the assertion has not yet been decrypted.

Resolution


AppyHFix-32025.

Published March 7, 2017 - Updated March 21, 2017

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.