Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

Nexus GO authentication libraries are based on SAML and used to verify the Nexus GO authentication. To implement Nexus GO Authentication on your website, you need to use these libraries. 

The authentication libraries are available for Java, .NET and PHP and require the following platform versions:

PlatformVersionLibrary for download
Java1.8 or higher
.NET4.5 or higher
.NET Standard2.0saml-validation-.net-2.0.0.zip
PHP5.6 or highersaml-validation-php-1.1.0.zip

Sequence diagram

This diagram describes the traffic that takes place when a user logs in to the web application: 

Sequence diagram


  1. The user visits the web application.
  2. The user logs in with the requested method. Nexus GO sends an authentication response.
  3. The user is redirected to the Validation URL, as specified in the environment.
  4. The authentication response is validated.
  5. The user is either logged in or denied. 

Initiation errors and solutions

These errors are thrown when calling:

public static LibrarySamlEngine initialize(...)


Code

Message

Proposed Solution

Note

100

Invalid configurationPath argument

Verify that the specified folder exists.


101

IDP metadata file not found



102

Failed to read IDP metadata

Verify correct access to read the file.

Used in java

103

IDP metadata file not valid xml

Wrong file or file may have been altered causing the XML format to become invalid.


104

IDP metadata has an invalid SingleSignOnServices location


Used in java

105

IDP metadata has invalid certificate

The metadata did not contain a valid X509Certificate, consult the Identity Provider.


106

IDP metadata missing required certificate

The metadata did not contain a valid X509Certificate, consult the Identity Provider.


107

IDP missing SingleSignOnService for expected binding

The library requires that the IDP has one, and only one, SingleSignOnService with type “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”.

Either remove duplicated SingleSignOnService manually, or consult the Identity Provider.

Used in java

108

IDP had multiple SingleSignOnServices for expected binding

The library requires that the IDP has one, and only one, SingleSignOnService with type “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”.

Either remove duplicated SingleSignOnService manually, or consult the Identity Provider.

Used in java

109

IDP missing required protocol for SingleSignOnService

HTTPS is required. This is currently not configurable.

Used in java

110

IDP metadata is missing SSO descriptor



111

IDP metadata had multiple SSO descriptors



112

IDP metadata is missing EntityID



113

Failed to read PS metadata

Verify correct access to read the file.

Used in java

114

SP metadata file not found



115

SP metadata file not valid xml

Wrong file or file may have been altered causing the XML format to become invalid.


116

SP metadata has an invalid AssertionConsumerService location



117

SP missing required protocol for AssertionConsumerService



118

SP missing AssertionConsumerService for expected binding



119

SP had multiple AssertionConsumerService for expected binding



120

SP metadata is missing EntityID



121

SP metadata is missing SSO descriptor

Verify that the metadata files has not been switched.


122

SP metadata had multiple SSO descriptors

Either remove duplicated SSODescriptorType manually, or consult the Identity Provider.



Validation errors and solutions

These errors are thrown when calling:

public static Result validateSamlResponse(...)


Code

Message

Proposed Solution

Note

200

SAML Response not valid XML



201

Destination URL did not match URL request was received on

The library tried to match URL in SAML Response Destination with SP metadata HTTP-Redirect URL location. If this fails, the metadata may be out-of-synch.


202

Invalid state, should be acting Service Provider


Used in java

203

Unable to resolve Identity Provider by EntityID


Used in java

204

Identity Provider is disabled


Used in java

205

Response did not contain any assertion and no encrypted assertions



206

Service Provider is missing required settings


Used in java

207

Failed to decrypt encrypted assertion(s), no key-pair

The current version of the library does not support decrypting encrypted assertions. Consult the Identity Provider.

Used in java

208

Identity Provider is missing public-key, failed to verify signature


Used in java

209

Unable to verify signature for SAML assertion


Used in java

210

Error when verifying signature

The signature was invalid. Signature verification could not be performed.

Used in java

211

Signature verification failed

The verification of the signature failed. The response may be tampered, or the IDP metadata is outdated and contains old public key. Consult the Identity Provider.


212

Response did not contain a valid Issuer

The issuer in the response did not match the EntityID in the IDP metadata.


213

Response Issuer did not contain a valid NameID


Used in java

214

Response did not contain a valid Subject



215

Response Subject did not contain a valid NameID


Used in java

216

Response Subject did not contain a contain NameID value



217

Response did not contain a valid AuthnStatement



218

Assertion did not contain expected Service Provider as audience



219

Assertion did not contain a valid NameID


Used in java

220

Attempting user attribute mapping without any attribute specified


Used in java

221

Did not find user


Used in java

222

Assertion subject is expired

The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues.


223

Assertion subject not yet valid

The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues.


224

Assertion is expired

The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues.


225

Assertion not yet valid

The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues.


226

Assertion did not contain Conditions



227

Assertion did not contain Status



228

Status did not contain StatusCode



229

StatusCode did not contain Value



230

Assertion status was not success



231

InResponseTo mismatch



232Multiple assertions in response
Used in .NET, PHP
233Request method not POST
Used in PHP