Support Article
SSO setup with SAML 2.0 fails
SA-6544
Summary
SSO setup with SAML 2.0 fails.
Error Messages
Unable to process SAML2 Authentication response : Caught Exception while validating SAML2 Authentication response protocol : Received SAML token with invalid status code : urn:oasis:names:tc:SAML:2.0:status:Requester
With SAML tracer you observe that the authentication request to PingOne is not correct and PingOne returns this error as saml status:
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<samlp:StatusMessage>Request was invalid XML</samlp:StatusMessage>
<samlp:StatusDetail>
<Cause>com.pingidentity.common.util.xml.InvalidXmlException: Invalid XML - errors: [error: cvc-datatype-valid.1.1: string value '_k+3Svd26lclY9qXt2Qst7rh9KGE=' does not match pattern for xs:ID]</Cause>
</samlp:StatusDetail>
</samlp:Status>
Steps to Reproduce
Execute SSO setup with SAML 2.0 using PingOne.
Root Cause
The root cause of this problem is a defect in Pegasystems’ code/rules. The error is due to an improper ID being sent. The "+" in the generated ID is causing the issue.
Resolution
This issue is resolved by HFix-20958 which uses the OpenSAML API instead of using UUID for generation of random IDs for all types of WebSSO requests.
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.