This page will help you solve problems related to the CAST AIP Console configuration with SAML where you are not able to access AIP Console via SAML Authentication.
CAST AIP Console is a front end web application which provides a means to configure, run, and manage CAST AIP analyses on multiple analysis machines. For more information, refer to:
The AIP Console SAML configuration can be reffered from : SAML authentication |
|
|
Error Logs In the GUI we will see below whitelabel error page. In the Webi error logs we will see below error: 03:50:25.900 [https-jsse-nio-443-exec-8] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed |
Reason "Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed" is a SAML signature verification error. It seems like one of the sides of the SAML partnership does not have the correct keys or certificate, or otherwise is misconfigured. IDP digitally signs the payload (SAML Assertion) with its key, the Console verifies the signature using the certificate. The cert needs to match the key. If the receiver (AIP Console) has the wrong cert, or a cert that does not correspond to the signing key, then you can get this kind of signature validation error message. So, check your keys. |
Action Plan Perform the below actions
- IDP MetaData generationYou must request the IDP MetaData from the Identity Provider you will use. In general, this is provided in an XML and this file must be stored in the following location:
You can also configure the Console to fetch MetaData as follows:
|
Relevant input
|
Ticket # 36491 |
Comments