Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025

 


Article

SAML authentication fails with error: Metadata for issuer <Identity provider issuer URL> wasn't found

Information

 
Article Number000096832
EnvironmentProduct: OpenEdge
Version: 11.7.4, 12.x
OS: All supported platforms
Other: SAML 2.0
Question/Problem Description
SAML authentication fails with error: Metadata for issuer <Identity provider issuer URL> wasn't found

Error appears after logging in with the identity provider with SAML authentication.
Steps to Reproduce
Clarifying Information
PASOE application configured to use SAML 2.0 single-sign-on (SSO) authentication.
 
Error MessageClient (eg web browser) returns error:

Error: Server responded to <Service provider URL> with status code 401:

Authentication Failed: Error determining metadata contracts : Metadata for issuer <Identity provider issuer URL> wasn't found

Service provider (PASOE) default.<date>.log reads:

Error determining metadata contracts : Metadata for issuer <Identity provider issuer URL> wasn't found
Defect/Enhancement Number
Cause

This error occurs when security token reply comes from a different source than the one expected based on the identity provider metadata.
 
Resolution


Verify the SAML configuration for your PASOE application. 
Make sure the identity provider issuer URL is valid and that the URL is registered in metadata\idp.xml:
 
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  validUntil="2019-06-14T13:16:11Z" cacheDuration="PT1560950171S" entityID="<identity provider issuer  URL>">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIC5DCCAcygAwIBAgIQQh8xZbxCAKpHk......</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<identity provider login URL>"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<identity provider login URL>"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

You may want to remove the validUntil and cacheDuration properties from the EntityDescriptor, so the entityID information never expires.
 
Workaround
Notes
Progress Article(s):

000093581, How to configure SAML authentication with PASOE?
Attachment 
Last Modified Date8/28/2019 2:48 PM