Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

SSO setup with SAML 2.0 fails



SSO setup with SAML 2.0 fails.

Error Messages

Unable to process SAML2 Authentication response : Caught Exception while validating SAML2 Authentication response protocol : Received SAML token with invalid status code : urn:oasis:names:tc:SAML:2.0:status:Requester 

With SAML tracer you observe that the authentication request to PingOne is not correct and PingOne returns this error as saml status:

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" /> 
<samlp:StatusMessage>Request was invalid XML</samlp:StatusMessage> 
<Cause>com.pingidentity.common.util.xml.InvalidXmlException: Invalid XML - errors: [error: cvc-datatype-valid.1.1: string value &apos;_k+3Svd26lclY9qXt2Qst7rh9KGE=&apos; does not match pattern for xs:ID]</Cause> 

Steps to Reproduce

Execute SSO setup with SAML 2.0 using PingOne.

Root Cause

The root cause of this problem is a defect in Pegasystems’ code/rules. The error is due to an improper ID being sent. The "+" in the generated ID is causing the issue.


This issue is resolved by HFix-20958 which u
ses the OpenSAML API instead of using UUID for generation of random IDs for all types of WebSSO requests.

Published January 31, 2016 - Updated October 8, 2020

Was this useful?

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us