SAML SSO Assertion issue

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

Hello Experts,

I am working on SAML SSO to connect IIQ using PingID but getting below issue.

If the HTTP Post binding is used to deliver the Response, the enclosed assertions must be signed

An unknown error occurred processing the SAMLResponse, trying next Authenticator…
java.lang.NullPointerException: Cannot invoke “org.opensaml.saml.saml2.core.Assertion.getID()” because “assertion” is null

Any idea how to fix this issue or is this coming from Pingside.

Thanks

can you share details about how you have configured the SSO in IIQ.

Try enabling the loggers in IIQ (sailpoint.web.sso), also have a look at the syslog that would have the SAML object. It seems that the Assertion inside your SAML object is null, that could be due to some issue with the configuration and/or the settings from the PING side

this is the logs.

2024-05-01T00:44:53,373 ERROR https-jsse-nio-8443-exec-7 sailpoint.web.sso.SAMLSSOResponseValidator:127 - If the HTTP Post binding is used to deliver the Response, the enclosed assertions must be signed
2024-05-01T00:44:53,397 ERROR https-jsse-nio-8443-exec-7 sailpoint.web.sso.SAMLSSOAuthenticator:368 - An error occurred verifying the SAML assertion
org.apache.ws.security.WSSecurityException: General security error (SAML token security failure)

2024-05-01T00:44:53,427 ERROR https-jsse-nio-8443-exec-7 sailpoint.web.sso.SAMLSSOAuthenticator:303 - An unknown error occurred processing the SAMLResponse, trying next Authenticator…
java.lang.NullPointerException: Cannot invoke “org.opensaml.saml.saml2.core.Assertion.getID()” because “assertion” is null
a

You may get more details if you will enable the trace logs. However, to fix the below error:

General security error (SAML token security failure)

Ask the PING team to enable settings to include certificate and allows for signing the assertion.

I have enabled the logs using below

log4j.logger.sailpoint.web.sso=all and get the above details.

Just to confirm that both are different errors or its happened only due to Settings

These 2 issues seems to be different, one is related to certificate and the other suggests that the assertion ID is missing. Lets enable the above mentioned settings and validate.

Also, in your loggers you must be getting the SAML object in the form of XML

any idea how to fix that assertion ID is missing issue. Below is my code. any changes required.

//Initialize variables
Identity ident;

//assumption: nameid-format is unspecified/persistent
String nameId = (String)assertionAttributes.get(“nameId”);

log.error(“****nameId received in Azure assertion=”+nameId);

// Iterating the QueryOptions
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.ignoreCase( Filter.eq(“personnelLoginId”, nameId)));
qo.addFilter(Filter.ignoreCase( Filter.eq(“personnelAdministratorLoginId”, nameId)));

if(nameId != null) {
// Lookup the identity based on nameId,ident=context.getObject(Identity.class, nameId);
List list = context.getObjects(Identity.class,qo);

if (null != list && (list.size() > 0) ) {
  ident = list.get(0);
  log.error("****identity matching nameId="+ nameId + " FOUND");
} else if {
  log.error("****identity matching nameId="+ nameId + " NOT FOUND");			

}
//return ident
log.error("Return : " + ident);
log.error(“Rule executed successfully.”);
return ident;

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.