WSO2 Identity Server fails to perform authentication SAML2.0 when consumer URL inaccessible

Question

WSO2 Identity Server fails to perform authentication SAML2.0 consumer URL not reachable

We are using WSO2 Identity Server 4.6.0 for SAML 2.0 based Single Sign-On.

The authentication was working fine when the Assertion Consumer URL of the service provider was directly "accessible" (network connectivity) from the WSO2 IS node.

However, I get an error if I register a New Service Provider with an Assertion Consumer

URL which is not directly reachable from the Identity provider : WSO2 IS , but accessible

from the requesting user agent i.e. browser.

• The User Agent request gets redirectd to the WSO2 IS (login,do?SAMLRequest=nZP... )

• But the POST /commonauth failed with the following returned Status code 302 and Location header Location: authenticationendpoint/samlsso_notification.do?status=Error when processing the authentication request!&statusMsg=The message was not recognized by the SAML 2.0 SSO Provider. Please check the logs for more details

For example the Assertion Consumer URL provisionned was refering to a private ip address only accessible from the requesting browser).

I also tried to provide a hostname instead without success.

Here below is the error we get from the WSO2 IS logs :

TID: [0] [IS] [2014-06-10 17:54:52,344] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - The value of sessionDTO is null. This could be due to the hostname settings {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}

From the browser :

SAML2.0 based Single Sign On

Any idea why the autentication request failed and why the SSO provider complains about "unrecognized message".

Thanks for your support

JS

Answer 1

If you have fronted Identity server with a proxy server or load balancer Please try to configure severs proxy configurations. [1] http://soasecurity.org/2014/04/11/handling-server-redirects-when-it-is-a-proxy/