SAML module leads to NoAuthnContext error

0
Hi all, For a customer we've implemented the SAML module from the appstore to provide for Single Sign On based on the company's ADFS. In this scenario the configuration works correctly: The user opens an overal login page that is served by the ADFS. The user selects our application from the list that is configured in the ADFS. Now the user is correctly logged in into our application. So far so good. But the following is not working: The user opens our application and is redirected to the page where the SAML module listens to The module tries to send the SAML request and then the following error occurs: May 11 15:53:55.054 127.0.0.1 tr10000: DEBUG - SAMLSSO: Start processing action (assertion/assertion) with SAMLResponse May 11 15:53:55.054 127.0.0.1 tr10000: TRACE - SAMLSSO: (1/4) Processing request: /SSO/assertion May 11 15:53:55.054 127.0.0.1 tr10000: TRACE - SAMLSSO: (2/4) - SAMLRequest: null May 11 15:53:55.054 127.0.0.1 tr10000: TRACE - SAMLSSO: (3/4) - SAMLResponse: PHNhbWxwOlJlc3BvbnNlIElEPSJfZDZkYzE5YzUtNDQ3My00N2VkLTlhNGItOWQ2Y2M4...... May 11 15:53:55.054 127.0.0.1 tr10000: TRACE - SAMLSSO: (4/4) - RelayState: _5e638f58-08db-4a34-b75e-7eafbf58a7c2 May 11 15:53:55.067 127.0.0.1 tr10000: DEBUG - SAMLSSO: RelayState..:5e638f58-08db-4a34-b75e-7eafbf58a7c2 May 11 15:53:55.118 127.0.0.1 tr10000: ERROR - SAMLSSO: Unable to validate Response, because of error: org.opensaml.xml.validation.ValidationException: Got StatusCode urn:oasis:names:tc:SAML:2.0:status:Responder/urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext should be urn:oasis:names:tc:SAML:2.0:status:Success. Message: May 11 15:53:55.119 127.0.0.1 tr10000: ERROR - SAMLSSO: (1/51) org.opensaml.common.SAMLException: org.opensaml.xml.validation.ValidationException: Got StatusCode urn:oasis:names:tc:SAML:2.0:status:Responder/urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext should be urn:oasis:names:tc:SAML:2.0:status:Success. Message: May 11 15:53:55.119 127.0.0.1 tr10000: ERROR - SAMLSSO: (2/51) at saml20.implementation.ArtifactHandler.handleSAMLResponse(ArtifactHandler.java:180) May 11 15:53:55.119 127.0.0.1 tr10000: ERROR - SAMLSSO: (3/51) at saml20.implementation.ArtifactHandler.handleRequest(ArtifactHandler.java:33) May 11 15:53:55.119 127.0.0.1 tr10000: ERROR - SAMLSSO: (4/51) at saml20.implementation.SAMLRequestHandler.processRequest(SAMLRequestHandler.java:151) May 11 15:53:55.119 127.0.0.1 tr10000: ERROR - SAMLSSO: (5/51) at com.mendix.externalinterface.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:69) May 11 15:53:55.119 127.0.0.1 tr10000: ERROR - SAMLSSO: (6/51) at com.mendix.externalinterface.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:66) May 11 15:53:55.119 127.0.0.1 tr10000: ERROR - SAMLSSO: (7/51) at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:32) May 11 15:53:55.119 127.0.0.1 tr10000: ERROR - SAMLSSO: (8/51) at com.mendix.externalinterface.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.java:72) May 11 15:53:55.120 127.0.0.1 tr10000: ERROR - SAMLSSO: (9/51) at com.mendix.core.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.java:723) May 11 15:53:55.120 127.0.0.1 tr10000: ERROR - SAMLSSO: (10/51) at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.handle(RuntimeHandler.java:41) May 11 15:53:55.120 127.0.0.1 tr10000: ERROR - SAMLSSO: (11/51) at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) May 11 15:53:55.120 127.0.0.1 tr10000: ERROR - SAMLSSO: (12/51) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) May 11 15:53:55.120 127.0.0.1 tr10000: ERROR - SAMLSSO: (13/51) at org.eclipse.jetty.server.Server.handle(Server.java:368) May 11 15:53:55.120 127.0.0.1 tr10000: ERROR - SAMLSSO: (14/51) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) May 11 15:53:55.120 127.0.0.1 tr10000: ERROR - SAMLSSO: (15/51) at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:953) May 11 15:53:55.120 127.0.0.1 tr10000: ERROR - SAMLSSO: (16/51) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1014) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (17/51) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:861) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (18/51) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (19/51) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (20/51) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (21/51) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (22/51) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (23/51) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (24/51) at java.lang.Thread.run(Unknown Source) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (25/51) May 11 15:53:55.121 127.0.0.1 tr10000: ERROR - SAMLSSO: (26/51) Caused by: org.opensaml.xml.validation.ValidationException: Got StatusCode urn:oasis:names:tc:SAML:2.0:status:Responder/urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext should be urn:oasis:names:tc:SAML:2.0:status:Success. Message: May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (27/51) at saml20.implementation.wrapper.MxSAMLResponse.validateResponse(MxSAMLResponse.java:45) May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (28/51) at saml20.implementation.wrapper.MxSAMLResponse.validateResponse(MxSAMLResponse.java:59) May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (29/51) at saml20.implementation.ArtifactHandler.handleSAMLResponse(ArtifactHandler.java:60) May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (30/51) at saml20.implementation.ArtifactHandler.handleRequest(ArtifactHandler.java:33) May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (31/51) at saml20.implementation.SAMLRequestHandler.processRequest(SAMLRequestHandler.java:151) May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (32/51) at com.mendix.externalinterface.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:69) May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (33/51) at com.mendix.externalinterface.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:66) May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (34/51) at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:32) May 11 15:53:55.122 127.0.0.1 tr10000: ERROR - SAMLSSO: (35/51) at com.mendix.externalinterface.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.java:72) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (36/51) at com.mendix.core.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.java:723) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (37/51) at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.handle(RuntimeHandler.java:41) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (38/51) at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (39/51) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (40/51) at org.eclipse.jetty.server.Server.handle(Server.java:368) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (41/51) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (42/51) at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:953) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (43/51) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1014) May 11 15:53:55.123 127.0.0.1 tr10000: ERROR - SAMLSSO: (44/51) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:861) May 11 15:53:55.124 127.0.0.1 tr10000: ERROR - SAMLSSO: (45/51) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) May 11 15:53:55.124 127.0.0.1 tr10000: ERROR - SAMLSSO: (46/51) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) May 11 15:53:55.124 127.0.0.1 tr10000: ERROR - SAMLSSO: (47/51) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628) May 11 15:53:55.124 127.0.0.1 tr10000: ERROR - SAMLSSO: (48/51) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) May 11 15:53:55.124 127.0.0.1 tr10000: ERROR - SAMLSSO: (49/51) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) May 11 15:53:55.124 127.0.0.1 tr10000: ERROR - SAMLSSO: (50/51) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) May 11 15:53:55.124 127.0.0.1 tr10000: ERROR - SAML_SSO: (51/51) at java.lang.Thread.run(Unknown Source) It looks like there is someting wrong with the Authentication Context. We've looked at this context and made sure the contexts were equal to the ones that are configured in the ADFS. What can be wrong here? What do we need to look in to?
asked
1 answers
2

This is the IDP responding with an error code saying that no correct authentication context has been provided.

In your IDP settings you can configure the authentication context (tab page: 'Request Authn Context'). Some IDPs require an option here while other force you to send nothing.

Connecting to a windows ADFS server the most common required Authentication context class is : "Integrated Windows Authentication" | "urn:federation:authentication:windows"

the other commonly used opion is: "Secure Remote Password" | "urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"

If you are connecting with ADFS I would suggest you validate you have the integrated windows option selected. As I said before not every ADFS server requires this, the required/allowed options in this list vary over IDPs

Edit: The options I have seen for most ADFS providers are as follows: Authentication context class is : "Integrated Windows Authentication" | "urn:federation:authentication:windows" Disabled Name ID policy (check the box so the module doesn't need this policy). Authentication Context: Minimum (stronger than)

answered