- The user visits the web application.
- The user logs in with the requested method. Nexus GO sends an authentication response.
- The user is redirected to the Validation URL, as specified in the environment.
- The authentication response is validated.
- The user is either logged in or denied.
Initiation errors and solutions
These errors are thrown when calling:
public static LibrarySamlEngine initialize(...)
Code | Message | Proposed Solution | Note |
|---|---|---|---|
100 | Invalid configurationPath argument | Verify that the specified folder exists. | |
101 | IDP metadata file not found | ||
102 | Failed to read IDP metadata | Verify correct access to read the file. | Used in java |
103 | IDP metadata file not valid xml | Wrong file or file may have been altered causing the XML format to become invalid. | |
104 | IDP metadata has an invalid SingleSignOnServices location | Used in java | |
105 | IDP metadata has invalid certificate | The metadata did not contain a valid X509Certificate, consult the Identity Provider. | |
106 | IDP metadata missing required certificate | The metadata did not contain a valid X509Certificate, consult the Identity Provider. | |
107 | IDP missing SingleSignOnService for expected binding | The library requires that the IDP has one, and only one, SingleSignOnService with type “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”. Either remove duplicated SingleSignOnService manually, or consult the Identity Provider. | Used in java |
108 | IDP had multiple SingleSignOnServices for expected binding | The library requires that the IDP has one, and only one, SingleSignOnService with type “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”. Either remove duplicated SingleSignOnService manually, or consult the Identity Provider. | Used in java |
109 | IDP missing required protocol for SingleSignOnService | HTTPS is required. This is currently not configurable. | Used in java |
110 | IDP metadata is missing SSO descriptor | ||
111 | IDP metadata had multiple SSO descriptors | ||
112 | IDP metadata is missing EntityID | ||
113 | Failed to read PS metadata | Verify correct access to read the file. | Used in java |
114 | SP metadata file not found | ||
115 | SP metadata file not valid xml | Wrong file or file may have been altered causing the XML format to become invalid. | |
116 | SP metadata has an invalid AssertionConsumerService location | ||
117 | SP missing required protocol for AssertionConsumerService | ||
118 | SP missing AssertionConsumerService for expected binding | ||
119 | SP had multiple AssertionConsumerService for expected binding | ||
120 | SP metadata is missing EntityID | ||
121 | SP metadata is missing SSO descriptor | Verify that the metadata files has not been switched. | |
122 | SP metadata had multiple SSO descriptors | Either remove duplicated SSODescriptorType manually, or consult the Identity Provider. |
Validation errors and solutions
These errors are thrown when calling:
public static Result validateSamlResponse(...)
Code | Message | Proposed Solution | Note |
|---|---|---|---|
200 | SAML Response not valid XML | ||
201 | Destination URL did not match URL request was received on | The library tried to match URL in SAML Response Destination with SP metadata HTTP-Redirect URL location. If this fails, the metadata may be out-of-synch. | |
202 | Invalid state, should be acting Service Provider | Used in java | |
203 | Unable to resolve Identity Provider by EntityID | Used in java | |
204 | Identity Provider is disabled | Used in java | |
205 | Response did not contain any assertion and no encrypted assertions | ||
206 | Service Provider is missing required settings | Used in java | |
207 | Failed to decrypt encrypted assertion(s), no key-pair | The current version of the library does not support decrypting encrypted assertions. Consult the Identity Provider. | Used in java |
208 | Identity Provider is missing public-key, failed to verify signature | Used in java | |
209 | Unable to verify signature for SAML assertion | Used in java | |
210 | Error when verifying signature | The signature was invalid. Signature verification could not be performed. | Used in java |
211 | Signature verification failed | The verification of the signature failed. The response may be tampered, or the IDP metadata is outdated and contains old public key. Consult the Identity Provider. | |
212 | Response did not contain a valid Issuer | The issuer in the response did not match the EntityID in the IDP metadata. | |
213 | Response Issuer did not contain a valid NameID | Used in java | |
214 | Response did not contain a valid Subject | ||
215 | Response Subject did not contain a valid NameID | Used in java | |
216 | Response Subject did not contain a contain NameID value | ||
217 | Response did not contain a valid AuthnStatement | ||
218 | Assertion did not contain expected Service Provider as audience | ||
219 | Assertion did not contain a valid NameID | Used in java | |
220 | Attempting user attribute mapping without any attribute specified | Used in java | |
221 | Did not find user | Used in java | |
222 | Assertion subject is expired | The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues. | |
223 | Assertion subject not yet valid | The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues. | |
224 | Assertion is expired | The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues. | |
225 | Assertion not yet valid | The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues. | |
226 | Assertion did not contain Conditions | ||
227 | Assertion did not contain Status | ||
228 | Status did not contain StatusCode | ||
229 | StatusCode did not contain Value | ||
230 | Assertion status was not success | ||
231 | InResponseTo mismatch | ||
| 232 | Multiple assertions in response | Used in .NET, PHP | |
| 233 | Request method not POST | Used in PHP |