Page tree
Skip to end of metadata
Go to start of metadata

Nexus GO authentication libraries are based on SAML and used to verify the Nexus GO authentication. To implement Nexus GO Authentication on your website, you need to use these libraries or any other comparable libraries. 

The authentication libraries are available for Java, .NET and PHP and require the following platform versions:

PlatformVersionLibrary for download
Java1.8 or higher
.NET4.5 or higher
.NET Standard2.0saml-validation-.net-2.0.0.zip
PHP5.6 or highersaml-validation-php-1.1.0.zip

Sequence diagram

This diagram describes the traffic that takes place when a user logs in to the web application: 

Sequence diagram


  1. The user visits the web application.
  2. The user logs in with the requested method. Nexus GO sends an authentication response.
  3. The user is redirected to the Validation URL, as specified in the environment.
  4. The authentication response is validated.
  5. The user is either logged in or denied. 

Initiation errors and solutions

These errors are thrown when calling:

public static LibrarySamlEngine initialize(...)

 

Code

Message

Proposed Solution

Note

100

Invalid configurationPath argument

Verify that the specified folder exists.


101

IDP metadata file not found

 


102

Failed to read IDP metadata

Verify correct access to read the file.

Used in java

103

IDP metadata file not valid xml

Wrong file or file may have been altered causing the XML format to become invalid.


104

IDP metadata has an invalid SingleSignOnServices location

 

Used in java

105

IDP metadata has invalid certificate

The metadata did not contain a valid X509Certificate, consult the Identity Provider.


106

IDP metadata missing required certificate

The metadata did not contain a valid X509Certificate, consult the Identity Provider.


107

IDP missing SingleSignOnService for expected binding

The library requires that the IDP has one, and only one, SingleSignOnService with type “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”.

Either remove duplicated SingleSignOnService manually, or consult the Identity Provider.

Used in java

108

IDP had multiple SingleSignOnServices for expected binding

The library requires that the IDP has one, and only one, SingleSignOnService with type “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”.

Either remove duplicated SingleSignOnService manually, or consult the Identity Provider.

Used in java

109

IDP missing required protocol for SingleSignOnService

HTTPS is required. This is currently not configurable.

Used in java

110

IDP metadata is missing SSO descriptor

 


111

IDP metadata had multiple SSO descriptors

 


112

IDP metadata is missing EntityID

 


113

Failed to read PS metadata

Verify correct access to read the file.

Used in java

114

SP metadata file not found

 


115

SP metadata file not valid xml

Wrong file or file may have been altered causing the XML format to become invalid.


116

SP metadata has an invalid AssertionConsumerService location

 


117

SP missing required protocol for AssertionConsumerService

 


118

SP missing AssertionConsumerService for expected binding

 


119

SP had multiple AssertionConsumerService for expected binding

 


120

SP metadata is missing EntityID

 


121

SP metadata is missing SSO descriptor

Verify that the metadata files has not been switched.


122

SP metadata had multiple SSO descriptors

Either remove duplicated SSODescriptorType manually, or consult the Identity Provider.



Validation errors and solutions

These errors are thrown when calling:

public static Result validateSamlResponse(...)

 

Code

Message

Proposed Solution

Note

200

SAML Response not valid XML

 


201

Destination URL did not match URL request was received on

The library tried to match URL in SAML Response Destination with SP metadata HTTP-Redirect URL location. If this fails, the metadata may be out-of-synch.


202

Invalid state, should be acting Service Provider

 

Used in java

203

Unable to resolve Identity Provider by EntityID

 

Used in java

204

Identity Provider is disabled

 

Used in java

205

Response did not contain any assertion and no encrypted assertions

 


206

Service Provider is missing required settings

 

Used in java

207

Failed to decrypt encrypted assertion(s), no key-pair

The current version of the library does not support decrypting encrypted assertions. Consult the Identity Provider.

Used in java

208

Identity Provider is missing public-key, failed to verify signature

 

Used in java

209

Unable to verify signature for SAML assertion

 

Used in java

210

Error when verifying signature

The signature was invalid. Signature verification could not be performed.

Used in java

211

Signature verification failed

The verification of the signature failed. The response may be tampered, or the IDP metadata is outdated and contains old public key. Consult the Identity Provider.


212

Response did not contain a valid Issuer

The issuer in the response did not match the EntityID in the IDP metadata.


213

Response Issuer did not contain a valid NameID

 

Used in java

214

Response did not contain a valid Subject

 


215

Response Subject did not contain a valid NameID

 

Used in java

216

Response Subject did not contain a contain NameID value

 


217

Response did not contain a valid AuthnStatement

 


218

Assertion did not contain expected Service Provider as audience

 


219

Assertion did not contain a valid NameID

 

Used in java

220

Attempting user attribute mapping without any attribute specified

 

Used in java

221

Did not find user

 

Used in java

222

Assertion subject is expired

The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues.


223

Assertion subject not yet valid

The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues.


224

Assertion is expired

The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues.


225

Assertion not yet valid

The response is expired or not yet valid. Verify that SP and IDP system clock are in synch. It is recommended to use a trusted NTP server to avoid timing issues.


226

Assertion did not contain Conditions

 


227

Assertion did not contain Status

 


228

Status did not contain StatusCode

 


229

StatusCode did not contain Value

 


230

Assertion status was not success

 


231

InResponseTo mismatch

 


232Multiple assertions in response
Used in .NET, PHP
233Request method not POST
Used in PHP