Feedback
Did this article resolve your question/issue?

   

Article

SAML authentication fails with error: Metadata for issuer <Identity provider issuer URL> wasn't found

« Go Back

Information

 
TitleSAML authentication fails with error: Metadata for issuer <Identity provider issuer URL> wasn't found
URL NameSAML-authentication-fails-with-error-Metadata-for-issuer-Identity-provider-issuer-URL-wasn-t-found
Article Number000138006
EnvironmentProduct: OpenEdge
Version: 11.7.4, 12.x
OS: All supported platforms
Other: SAML 2.0
Question/Problem Description
SAML authentication fails with error: Metadata for issuer <Identity provider issuer URL> wasn't found

Error appears after logging in with the identity provider with SAML authentication.
Steps to Reproduce
Clarifying Information
PASOE application configured to use SAML 2.0 single-sign-on (SSO) authentication.
 
Error MessageClient (eg web browser) returns error:

Error: Server responded to <Service provider URL> with status code 401:

Authentication Failed: Error determining metadata contracts : Metadata for issuer <Identity provider issuer URL> wasn't found

Service provider (PASOE) default.<date>.log reads:

Error determining metadata contracts : Metadata for issuer <Identity provider issuer URL> wasn't found
Defect/Enhancement Number
Cause

This error occurs when security token reply comes from a different source than the one expected based on the identity provider metadata.
 
Resolution


Verify the SAML configuration for your PASOE application. 
Make sure the identity provider issuer URL is valid and that the URL is registered in metadata\idp.xml:
 
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  validUntil="2019-06-14T13:16:11Z" cacheDuration="PT1560950171S" entityID="<identity provider issuer  URL>">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIC5DCCAcygAwIBAgIQQh8xZbxCAKpHk......</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<identity provider login URL>"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<identity provider login URL>"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

You may want to remove the validUntil and cacheDuration properties from the EntityDescriptor, so the entityID information never expires.
 
Workaround
Notes
Progress Article(s):

000093581, How to configure SAML authentication with PASOE?
Last Modified Date8/28/2019 2:48 PM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.