- Created by Karolin Hemmingsson, last modified by Ann Base on Dec 18, 2020
Nexus GO authentication libraries are based on SAML and used to verify the Nexus GO authentication. To implement Nexus GO Authentication on your website, you need to use these libraries.
The authentication libraries are available for Java, .NET and PHP and require the following platform versions:
| Platform | Version | Library for download |
|---|---|---|
| Java | 1.8 or higher | |
| .NET | 4.5 or higher | |
| .NET Standard | 2.0 | saml-validation-.net-2.0.0.zip |
| PHP | 5.6 or higher | saml-validation-php-1.1.0.zip |
Sequence diagram
This diagram describes the traffic that takes place when a user logs in to the web application:
- The user visits the web application.
- The user logs in with the requested method. Nexus GO sends an authentication response.
- The user is redirected to the Validation URL, as specified in the environment.
- The authentication response is validated.
- The user is either logged in or denied.
Initiation errors and solutions
These errors are thrown when calling:
public static LibrarySamlEngine initialize(...)
Code | Message | Proposed Solution | Note |
|---|---|---|---|
100 | Invalid configurationPath argument | Verify that the specified folder exists. | |
101 | IDP metadata file not found | ||
102 | Failed to read IDP metadata | Verify correct access to read the file. | Used in java |
103 | IDP metadata file not valid xml | Wrong file or file may have been altered causing the XML format to become invalid. | |
104 | IDP metadata has an invalid SingleSignOnServices location | Used in java | |
105 | IDP metadata has invalid certificate | The metadata did not contain a valid X509Certificate, consult the Identity Provider. | |
106 | IDP metadata missing required certificate | The metadata did not contain a valid X509Certificate, consult the Identity Provider. | |
107 | IDP missing SingleSignOnService for expected binding | The library requires that the IDP has one, and only one, SingleSignOnService with type “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”. Either remove duplicated SingleSignOnService manually, or consult the Identity Provider. | Used in java |
108 | IDP had multiple SingleSignOnServices for expected binding | The library requires that the IDP has one, and only one, SingleSignOnService with type “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”. Either remove duplicated SingleSignOnService manually, or consult the Identity Provider. | Used in java |
109 | IDP missing required protocol for SingleSignOnService | HTTPS is required. This is currently not configurable. | Used in java |
110 | IDP metadata is missing SSO descriptor | ||
111 | IDP metadata had multiple SSO descriptors | ||
112 | IDP metadata is missing EntityID | ||
113 | Failed to read PS metadata | Verify correct access to read the file. | Used in java |
114 | SP metadata file not found | ||
115 | SP metadata file not valid xml | Wrong file or file may have been altered causing the XML format to become invalid. | |
116 | SP metadata has an invalid AssertionConsumerService location | ||
117 | SP missing required protocol for AssertionConsumerService | ||
118 | SP missing AssertionConsumerService for expected binding | ||
119 | SP had multiple AssertionConsumerService for expected binding | ||
120 | SP metadata is missing EntityID | ||
121 | SP metadata is missing SSO descriptor | Verify that the metadata files has not been switched. | |
122 | SP metadata had multiple SSO descriptors | Either remove duplicated SSODescriptorType manually, or consult the Identity Provider. |
Validation errors and solutions
These errors are thrown when calling:
public static Result validateSamlResponse(...)
Code | Message | Proposed Solution | Note |
|---|---|---|---|
200 | SAML Response not valid XML | ||
201 | Destination URL did not match URL request was received on | The library tried to match URL in SAML Response Destination with SP metadata HTTP-Redirect URL location. If this fails, the metadata may be out-of-synch. | |
202 | Invalid state, should be acting Service Provider | Used in java | |
203 | Unable to resolve Identity Provider by EntityID | Used in java | |
204 | Identity Provider is disabled | Used in java | |
205 | Response did not contain any assertion and no encrypted assertions | ||
206 | Service Provider is missing required settings | Used in java | |
207 | Failed to decrypt encrypted assertion(s), no key-pair | The current version of the library does not support decrypting encrypted assertions. Consult the Identity Provider. | Used in java |
208 | Identity Provider is missing public-key, failed to verify signature | Used in java | |
209 | Unable to verify signature for SAML assertion | Used in java | |
210 | Error when verifying signature | The signature was invalid. Signature verification could not be performed. | Used in java |
211 | Signature verification failed | The verification of the signature failed. The response may be tampered, or the IDP metadata is outdated and contains old public key. Consult the Identity Provider. | |
212 | Response did not contain a valid Issuer | The issuer in the response did not match the EntityID in the IDP metadata. | |
213 | Response Issuer did not contain a valid NameID | Used in java | |
214 | Response did not contain a valid Subject | ||
215 | Response Subject did not contain a valid NameID | Used in java | |
216 | Response Subject did not contain a contain NameID value | ||
217 | Response did not contain a valid AuthnStatement | ||
218 | Assertion did not contain expected Service Provider as audience | ||
219 | Assertion did not contain a valid NameID | Used in java | |
220 | Attempting user attribute mapping without any attribute specified | Used in java | |
221 | Did not find user | Used in java | |
222 | Assertion subject is expired | The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues. | |
223 | Assertion subject not yet valid | The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues. | |
224 | Assertion is expired | The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues. | |
225 | Assertion not yet valid | The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues. | |
226 | Assertion did not contain Conditions | ||
227 | Assertion did not contain Status | ||
228 | Status did not contain StatusCode | ||
229 | StatusCode did not contain Value | ||
230 | Assertion status was not success | ||
231 | InResponseTo mismatch | ||
| 232 | Multiple assertions in response | Used in .NET, PHP | |
| 233 | Request method not POST | Used in PHP |