Page tree
Skip to end of metadata
Go to start of metadata
Purpose (problem description)

This page will help you solve problems related to the  CAST AIP Console configuration with SAML where you are not able to access AIP Console via SAML Authentication.

CAST AIP Console is a front end web application which provides a means to configure, run, and manage CAST AIP analyses on multiple analysis machines.

For more information, refer to:

The AIP Console SAML configuration can be reffered from : SAML authentication

Observed in AIP console versions


Release

Yes/No

1.x(tick)
2.x(tick)
Observed in RDBMS

RDBMS

Yes/No

Oracle Server N/A
Microsoft SQL Server N/A
CSS3 N/A
CSS2 N/A 
ERROR LOGS

In the GUI we will see below whitelabel error page.

In the Webi error logs we will see below error:

03:50:25.900 [https-jsse-nio-443-exec-8] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

Reason

"Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed"

is a SAML signature verification error.

It seems like one of the sides of the SAML partnership does not have the correct keys or certificate, or otherwise is misconfigured. 

IDP digitally signs the payload (SAML Assertion) with its key, the Console verifies the signature using the certificate. 

The cert needs to match the key. 

If the receiver (AIP Console) has the wrong cert, or a cert that does not correspond to the signing key, then you can get this kind of signature validation error message. 

So, check your keys.

Action Plan

Perform the below actions

  1. As the issue occurs because of mismatch in key,  IDP digitally signs the payload (SAML Assertion) with its key, the receiving party( AIP console)  verifies the signature using the certificate.  The cert needs to match the key.  If the receiver has the wrong cert, or a cert that does not correspond to the signing key, then you can get this kind of signature validation error message. 

- IDP MetaData generation

You must request the IDP MetaData from the Identity Provider you will use. In general, this is provided in an XML and this file must be stored in the following location:

Windows: <console_installation>\AipConsole\data
Linux: $HOME\CAST\AipConsole\data

You can also configure the Console to fetch MetaData as follows:

 

Relevant input

Notes/comments

Ticket # 36491

Related Pages
  • No labels