| Back | Main view

Common SAML2 authentication errors on IMiS ARChive server

Product:IMiS/ARChive
Release:Since 10.3.2210
Date:10/27/2023

Case: Multiple errors may occur during SAML2 authentication process with IMiS ARChive Server. In this article we present a few examples and solutions how to solve such errors.

Description:

SAML2 authentication process with IMiS ARChive Server may result in multiple errors. Most errors happen due to misconfiguration between IMiS ARChive Server and external identity provider. Next examples demonstrate a few misconfiguration errors and how to solve them.

Example 1: AudienceRestriction mismatch.

This example demonstrates error when SAML2 "Audience" value does not match with IMiS ARChive Server "AudienceWhitelist" values.

Server log stacktrace:

10/19/23 09:45:58.120 [iarcd:9183:7f285b7fe700] ERR[3] Error occurred while validating payload with AAA plugin '083c3041-6ece-4697-9ecb-6b83be00332f'. Reason: 'Error occurred while calling 'validate'. Reason: com.imis.imisarc.server.aaa.AuthenticationException: Failed to validate SAML2 assertion.
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.validateAssertion(GenericSAML2Validator.java:272)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.parseAndValidate(GenericSAML2Validator.java:191)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.executeValidate(GenericSAML2Validator.java:178)
  com.imis.imisarc.server.aaa.impl.GenericAAAObject.validate(GenericAAAObject.java:99)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.validate(GenericSAML2Validator.java:1)
Caused by: org.opensaml.saml.common.assertion.AssertionValidationException: Failed to validate SAML2 assertion (status 'INVALID'). Reason: 'Condition '{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction' of type 'null' in assertion '_gUPBxORmxWaUVC0FIo6i8kPPr6wIa1Fd' was not valid.: None of the audiences within Assertion '_gUPBxORmxWaUVC0FIo6i8kPPr6wIa1Fd' matched the list of valid audiances'.
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.validateAssertion(GenericSAML2Validator.java:267)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.parseAndValidate(GenericSAML2Validator.java:191)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.executeValidate(GenericSAML2Validator.java:178)
  com.imis.imisarc.server.aaa.impl.GenericAAAObject.validate(GenericAAAObject.java:99)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.validate(GenericSAML2Validator.java:1)'

SAML2 response snippet:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_b7fa474c75a6aeac66a9" InResponseTo="qgzI-akOF9fF3HIEP-KBnZf9tpSdBQb1JCL_8XJa-VvQBWhUCsyS2-XYpiCyfTXTA" Version="2.0" IssueInstant="2023-10-19T07:45:55.227Z" Destination="response_url">
...
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_gUPBxORmxWaUVC0FIo6i8kPPr6wIa1Fd" IssueInstant="2023-10-19T07:45:55.226Z">
...
    <saml:Conditions NotBefore="2023-10-19T07:45:55.226Z" NotOnOrAfter="2023-10-19T08:45:55.226Z">
      <saml:AudienceRestriction>
        <saml:Audience>audience2</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
...
  </saml:Assertion>
</samlp:Response>

Plugin configuration:

<Arguments>
    <Class>com.imis.imisarc.server.aaa.impl.GenericSAML2Validator</Class>
    <EntityId>urn:tenant-id.idp.provider</EntityId>
    <OnlineIDPMetadata>https://tenant-id.idp.provider/samlp/metadata/tenant-application-id</OnlineIDPMetadata>
    <AudienceWhitelist>audience1</AudienceWhitelist>
    <SubjectConformationValidRecipient>https://path-to-saml2-assertion-endpoint</SubjectConformationValidRecipient>
    <Field key="sys:dir:lid:Subject" type="string">int:saml2:Subject</Field>
    <Field key="sys:dir:lid:Issuer" type="string">sys:dir:lid:Issuer</Field>
</Arguments>

To fix this kind of error, either add new "AudienceWhitelist" tag with value from "Audience" or correct existing "AudienceWhitelist" tag value.

Example 2: SubjectConformationMethod mismatch.

This example demonstrates error when SAML2 "SubjectConfirmationData" recipient does not match "SubjectConformationValidRecipient" in IMiS ARChive Server plugin configuration.

Server log stacktrace:

10/19/23 09:47:54.926 [iarcd:9183:7f2859ffb700] ERR[3] Error occurred while validating payload with AAA plugin '083c3041-6ece-4697-9ecb-6b83be00332f'. Reason: 'Error occurred while calling 'validate'. Reason: com.imis.imisarc.server.aaa.AuthenticationException: Failed to validate SAML2 assertion.
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.validateAssertion(GenericSAML2Validator.java:272)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.parseAndValidate(GenericSAML2Validator.java:191)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.executeValidate(GenericSAML2Validator.java:178)
  com.imis.imisarc.server.aaa.impl.GenericAAAObject.validate(GenericAAAObject.java:99)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.validate(GenericSAML2Validator.java:1)
Caused by: org.opensaml.saml.common.assertion.AssertionValidationException: Failed to validate SAML2 assertion (status 'INVALID'). Reason: 'No subject confirmation methods were met for assertion with ID '_v2TG4OYpsEXvXfLiGxuU9HoKb10TG5Mj''.
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.validateAssertion(GenericSAML2Validator.java:267)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.parseAndValidate(GenericSAML2Validator.java:191)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.executeValidate(GenericSAML2Validator.java:178)
  com.imis.imisarc.server.aaa.impl.GenericAAAObject.validate(GenericAAAObject.java:99)
  com.imis.imisarc.server.aaa.impl.GenericSAML2Validator.validate(GenericSAML2Validator.java:1)'

SAML2 response snippet:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_1b38c28809bf4d52acae" InResponseTo="rRuFa_szLQ568wjJ39t64hCwzHgu0OzbMGf0sP8Bmn9fagcn9Tulul7FQtQquQmi6" Version="2.0" IssueInstant="2023-10-19T07:47:52.080Z" Destination="destination_url">
...
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_v2TG4OYpsEXvXfLiGxuU9HoKb10TG5Mj" IssueInstant="2023-10-19T07:47:52.079Z">
...
    <saml:Subject>
...
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2023-10-19T08:47:52.079Z" Recipient="https://path-to-saml2-assertion-endpoint2" InResponseTo="rRuFa_szLQ568wjJ39t64hCwzHgu0OzbMGf0sP8Bmn9fagcn9Tulul7FQtQquQmi6"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
...
  </saml:Assertion>
</samlp:Response>

Plugin configuration:

<Arguments>
    <Class>com.imis.imisarc.server.aaa.impl.GenericSAML2Validator</Class>
    <EntityId>urn:tenant-id.idp.provider</EntityId>
    <OnlineIDPMetadata>https://tenant-id.idp.provider/samlp/metadata/tenant-application-id</OnlineIDPMetadata>
    <AudienceWhitelist>audience1</AudienceWhitelist>
    <SubjectConformationValidRecipient>https://path-to-saml2-assertion-endpoint</SubjectConformationValidRecipient>
    <Field key="sys:dir:lid:Subject" type="string">int:saml2:Subject</Field>
    <Field key="sys:dir:lid:Issuer" type="string">sys:dir:lid:Issuer</Field>
</Arguments>

To fix this kind of error, either add new "SubjectConformationValidRecipient" tag with value from "SubjectConfirmationData" recipient attribute or correct existing "SubjectConformationValidRecipient" tag value.

Example 3: Untrusted SAML certificate in IMiS ARChive certificate store

Server log snippet:

10/19/23 10:01:28.651 [iarcd:9183:7f2859ffb700] DBG[7] Linked identity cache certificate validation begin.
10/19/23 10:01:28.652 [iarcd:9183:7f2859ffb700] DBG[7] Certificate is already in cache and will replace certificate body owner. Cached instance: subject: 'CN=dev-zfpypp9t-idp.eu.auth0.com', serial: '20478adbb8bb06c284'.
10/19/23 10:01:28.652 [iarcd:9183:7f2859ffb700] DBG[7] Linked identity cache certificate validation end with error.
10/19/23 10:01:28.652 [iarcd:9183:7f2859ffb700] ERR[3] Error occurred while resolving directory entity from linked identity with AAA plugin '083c3041-6ece-4697-9ecb-6b83be00332f'. Reason: 'Certificate with subject '<certificate subject>', serial '<certificate serial>' is marked as 'deleted' and is therefore untrusted.'

Plugin configuration:

<Arguments>
    <Class>com.imis.imisarc.server.aaa.impl.GenericSAML2Validator</Class>
    <EntityId>urn:tenant-id.idp.provider</EntityId>
    <OnlineIDPMetadata>https://tenant-id.idp.provider/samlp/metadata/tenant-application-id</OnlineIDPMetadata>
    <AudienceWhitelist>audience1</AudienceWhitelist>
    <SubjectConformationValidRecipient>https://path-to-saml2-assertion-endpoint</SubjectConformationValidRecipient>
    <Field key="sys:dir:lid:Subject" type="string">int:saml2:Subject</Field>
    <Field key="sys:dir:lid:Issuer" type="string">sys:dir:lid:Issuer</Field>
    <Field key="sys:dir:lid:EntityX509PEM" type="string">int:saml2:EntityX509PEM</Field>
</Arguments>

To fix this error, enable disabled certificate trough administration or remove "sys:dir:lid:EntityX509PEM" from plugin configuration to skip certificate checks.

Related Documents:

Database 'IMiS Knowledge database', View 'All Documents', Document 'Single sign on configuration using generic SAML2 plugin' - Single sign on configuration using generic SAML2 plugin

| Back | Main view

Copyright © Imaging Systems Ltd, 2024