1. Home
  2. Support
Article - CS334554

"Response doesn't have any valid assertion which would pass subject validation" appears in SecurityLog.log when SSO is enabled in ThingWorx Platform/ThingWorx Navigate

Modified: 20-Sep-2021   


Applies To

  • ThingWorx Platform 8.3 to 9.5
  • Windchill Navigate (formerly ThingWorx Navigate) 1.8.0 to 9.2
  • PingFederate

Description

  • Cannot login to ThingWorx Platform with PingFederate enabled after updating the Signing Certificates
  • Changed Certificates and can no longer login to PingFed
  • Assertion Encryption is not working correctly as ThingWorx cannot decrypt the assertion
  • Enabled Encryption Policy under IDP Configuration > SP Connection and now users cannot login into ThingWorx
  • After logging in to Single Sign-on (SSO) for ThingWorx the Web Browser shows the following:
    • The system is currently encountering an authentication configuration error.
      Close the browser and try to login again. If the problem persists, contact your system administrator.
  • <ThingworxStorage>\logs\SecurityLog.log shows the following error:
    • [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8080-exec-9] [ Error validating SAML message ][ Response doesn't have any valid assertion which would pass subject validation ]
      [L: WARN] [O: S.c.t.s.ApplicationContext] [I: ] [U: ] [S: ] [T: http-nio-8080-exec-9] ApplicationContext.sessionDestroyed(HttpSessionEvent) failed. [ java.lang.NullPointerException: userName was null ][ userName was null ]
      [L: INFO] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: http-nio-8080-exec-9] Authenticator did not provide a username to validate against the Thingworx known users. Authenticator = ThingworxSSOAuthenticator
This is a printer-friendly version of Article 334554 and may be out of date. For the latest version click CS334554