Ping Federate : Single sign-on authentication was unsuccessful

single-sign-on pingfederate
Runcorn picture Runcorn · May 26, 2014 · Viewed 8.9k times · Source

I am getting this issue while implementing Ping Federate 

Error - Single Sign-On
Single sign-on authentication was unsuccessful (reference # TAELHKAD).
Please contact your system administrator for assistance regarding this error.
Partner: localhost:default:entityId
Target Resource: http://sp-connection.com

But the server log doesn't show any error message/indication :

16:32:32,854 DEBUG [IntegrationControllerServlet] GET: https://localhost:9031/idp/startSSO.ping
16:32:32,856 DEBUG [IdpAdapterSupportBase] IdP Adapter Selection disabled, performing legacy adapter selection.
16:32:32,859 DEBUG [InterReqStateMgmtMapImpl] Object removeAttr(key: null, name: NUMBER_OF_ATTEMPTS): null
16:32:32,860 DEBUG [AttributeMap] Ignoring attempt to add null value to attribute map for context.TargetResource
16:32:32,860 DEBUG [AttributeMapping] Source attributes:{not-before=2014-05-26T10:47:32Z, authnContext=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, subject=joe, userId=joe, context.AuthenticationCtx=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, context.ClientIp=127.0.0.1, not-on-or-after=2014-05-26T10:52:32Z, renew-until=2014-05-26T22:47:32Z, password=test, context.HttpRequest=/idp/startSSO.ping} Resulting attributes:{SAML_SUBJECT=joe}
16:32:32,862 DEBUG [TrackingIdSupport] [cross-reference-message] PFSessionXRefID:MzqNiwww3_exb1uk7K60oH69Wzx
16:32:32,863 DEBUG [IdpSessionRegistryMapImpl] registerSessionIssued: authnbean a6fff81d8b37477eb3f90824fdc8f2d3adb847c2 | assertion id MzqNiwww3_exb1uk7K60oH69Wzx
16:32:32,863 DEBUG [IdpSessionRegistryMapImpl] registerAuthnBean IdpHashableAuthnBean: a6fff81d8b37477eb3f90824fdc8f2d3adb847c2 with session id PedsaJJVNrmTayLjKvIOvz. Session now has 15 beans associated with it.
16:32:32,863 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:sbwb-ppc-idp subject:joe
16:32:32,885 DEBUG [LoggingInterceptor] Transported Response. OutMessageContext:
OutMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>localhost:default:entityId</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
      <saml:AudienceRestriction>
        <saml:Audience>sbwb-ppc-idp</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
  </saml:Assertion>
</samlp:Response>
entityId: sbwb-ppc-idp (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Endpoint: https://localhost:9031/sp/ACS.saml2
SignaturePolicy: BINDING_DEFAULT

16:32:32,942 DEBUG [ProtocolControllerServlet] ---REQUEST (POST)/sp/ACS.saml2 from 127.0.0.1: 
---PARAMETERS---
SAMLResponse:
   PHNhbWxwOlJlc3BvbnNlIFZlcnNpb249IjIuMCIgSUQ9InB2UUdKTm5RM1AyMkpfSl91QlNNY2tqMWpWZCIgSXNzdWVJbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg1NloiIERlc3RpbmF0aW9uPSJodHRwczovL2xvY2FsaG9zdDo5MDMxL3NwL0FDUy5zYW1sMiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmxvY2FsaG9zdDpkZWZhdWx0OmVudGl0eUlkPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNwdlFHSk5uUTNQMjJKX0pfdUJTTWNrajFqVmQiPgo8ZHM6VHJhbnNmb3Jtcz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPnhQaFNjNTNyWHlTVWJ4ZGZxMHZIRzBwdnVxND08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+CnFvRUlDdjJGRmdEdWlmOEcwS1ZsaTJLV3lrdkxibnU0anpJWlJWaVM0V0F5UHVWS2F4SGlrMFpnNmNwNXlYMG5zNFBSamNHSDRLWlAKVWtaVE1aNVAzbUxPQWd2eTdBVVgwMnZzUVNzOWhGcU5sbURiZ0g3cjljM1V5SWRsNE9HZi9GQzFSY3NlN1o1Rklma0puVWM5eXU1cQpBRTlEbDdDc1dOZTB1emJMcGtRPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gSUQ9Ik16cU5pd3d3M19leGIxdWs3SzYwb0g2OVd6eCIgSXNzdWVJbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg2MVoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWw6SXNzdWVyPmxvY2FsaG9zdDpkZWZhdWx0OmVudGl0eUlkPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5qb2U8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0OjkwMzEvc3AvQUNTLnNhbWwyIiBOb3RPbk9yQWZ0ZXI9IjIwMTQtMDUtMjZUMTA6NTI6MzIuODYxWiIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE0LTA1LTI2VDEwOjQyOjMyLjg2MVoiIE5vdE9uT3JBZnRlcj0iMjAxNC0wNS0yNlQxMDo1MjozMi44NjFaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnNid2ItcHBjLWlkcDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBTZXNzaW9uSW5kZXg9Ik16cU5pd3d3M19leGIxdWs3SzYwb0g2OVd6eCIgQXV0aG5JbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg2MFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+

16:32:32,942 DEBUG [BindingFactory] POST
 with Params: [SAMLResponse]
 assume binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
 from: 127.0.0.1
 Referer: https://localhost:9031/idp/startSSO.ping?PartnerSpId=sbwb-ppc-idp&IdpAdapterId=sbwbinstance&opentoken=T1RLAQJ-xGLJVNYpt6wbFuBEdkTdV_H7ExDDab6qMWCtnsV-8a8MiZQoAACgJ8IrzSTee9EIMxp11drk1ECkiKk5ogNZpGTfMN64-QOJsNBdeMKeU-L3-iD0HjNKDFOoTFVbhtUr20WUp22RVpp8KtvErnHQ984ZAj9AD5h4DU_OVA1cpDDcF9zZVqC_EpLZkUoK3vH9oj5B0cBpIM7QpIOVys4YZXx6-83C7RgpoWg7nAFK_Yx0JtnrS7Nd-bc8EVcVIdSUhVcsSxBAnQ**
 AuthType: null
 Content-Type: application/x-www-form-urlencoded
16:32:32,955 DEBUG [LoggingInterceptor] Received InMessageContext:
InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>localhost:default:entityId</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
      <saml:AudienceRestriction>
        <saml:Audience>sbwb-ppc-idp</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
  </saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true

16:32:32,965 WARN  [AudienceEvaluator] no protocol: sbwb-ppc-idp when checking audience sbwb-ppc-idp against https://localhost:9031
16:32:32,966 WARN  [ValidateWebSsoResponse] Invalid assertion 
Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions.  
16:32:32,967 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:null subject:null
16:32:32,968 WARN  [HandleAuthnResponse] Invalid response: InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>localhost:default:entityId</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
      <saml:AudienceRestriction>
        <saml:Audience>sbwb-ppc-idp</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
  </saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true
-------------------------------------
(reference# RMCQDOUY) Response contains no valid assertions: [
Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions.  ]. InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>localhost:default:entityId</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
      <saml:AudienceRestriction>
        <saml:Audience>sbwb-ppc-idp</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
  </saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true

-------------------------------------

I have the following Configuration :

  • PF server acts as both IdP and SP server.
  • Query Paramter is used for transporting OpenToken from IdP application to PF.
  • I have created two adapters for IdP and SP.
  • And SP Connection at IdP side(And i am yet to configure IdP Connections).
  • An IdP adapter - SP adapter mapping -I have used the default data.zipfor base foundation of PF.

And i am stuck at this Protocol Endpoints : https://localhost:9031/sp/ACS.saml2

Question

  1. Am i missing something in the Adapter Mapping ?
  2. How does PF maps/knows which adapter to hit for SP side OpenToken generation ?

Any hint/clue would be much appreciated. Thanks.

Answer

Ian picture Ian · May 27, 2014

The server.log states what the error is:

16:32:32,965 WARN  [AudienceEvaluator] no protocol: sbwb-ppc-idp when checking audience sbwb-ppc-idp against https://localhost:9031    
16:32:32,966 WARN  [ValidateWebSsoResponse] Invalid assertion 
    Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
    Remarks:
    Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions.

The SAML Response is being generated correctly but your SP is expecting a different Audience value than what you are sending. Your IDP is generating an Audience value of:

<saml:Audience>sbwb-ppc-idp</saml:Audience>

But it is expecting to receive localhost:default:entityId

I've noticed you've opened a few cases now on basic setup. Have you been in contact with your Ping Solutions Architect yet to help answer some of these questions?

Related questions

PingFederate Single Log-Off - How does it work?

Given: PingFederate is a single-sign-on (SSO) solution, which allows users to be authenticated by 1-n applications using a single username and password. High-Level Questions: How does PingFederate's single-log-off (SLO) feature work? And how does SLO work in general? Given: To …

Read More
C# ASP.NET Single Sign-On Implementation

I am tasked with implementing single sign-on for our customers as part of our next release. The flow exists as follows: User logs into their school's main portal system using a student id/password provided to him/her by the …

Read More
Differences between SP initiated SSO and IDP initiated SSO

Can anyone explain to me what the main differences between SP initiated SSO and IDP initiated SSO are, including which would be the better solution for implementing single sign on in conjunction with ADFS + OpenAM Federation?

Read More