Article - CS377842
User is not getting authenticated on customer IDP after SSO configuration with PingFederate in Windchill
Modified: 08-Jan-2025
Applies To
- FlexPLM 12.0.3.0
- Windchill PDMLink 11.0 to 12.1
Description
- User is not getting authenticated on customer IDP after SSO configuration with PingFederate in Windchill
- Observed the following errors in server.log on PingFederate :
tid:f8e90yYVVeLzF2Wb7TGFDZHqp4E WARN [org.sourceid.saml20.profiles.sp.HandleAuthnResponse] Invalid response: InMessageContext
XML: <saml2p:Response Destination=https://<PingFederate hostname>/sp/ACS.saml2 ID="_05b897d5498e3a44aa7db6891eafd0b818bb49" InResponseTo="QtVPqCJ2UJ8L1MpNoA9e.wKOj9Z" IssueInstant="2022-09-29T19:15:44Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<customer's IDP></saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_461d7e7a3bedf9b7db123b96d644f1abfda2ea" IssueInstant="2022-09-29T19:15:44Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://<customer's IDP></saml2:Issuer>
…..
SignatureStatus: NOT_PRESENT
Binding says to sign: true
-------------------------------------
(reference# NCRQYXQX) Missing or invalid signature (NOT_PRESENT) on assertion (ID=_461d7e7a3bedf9b7db123b96d644f1abfda2ea). All assertions must have valid signatures because the Response was not signed or the system is configured to require a signed assertion from https://<customer's IDP>.
InMessageContext
XML: <saml2p:Response Destination=https://<PingFederate hostname>/sp/ACS.saml2 ID="_05b897d5498e3a44aa7db6891eafd0b818bb49" InResponseTo="QtVPqCJ2UJ8L1MpNoA9e.wKOj9Z" IssueInstant="2022-09-29T19:15:44Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<customer's IDP></saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
- Stop PingFederate , clear all the log files and the restart PingFederate . Login as a user to reproduce the problem and collect the fresh new log files , observed the following errors in server.log on PingFederate :
---------------------------------
tid:A0ZYzWdkEKEJC-TrrDTSeq0TqaU ERROR [org.sourceid.saml20.profiles.sp.HandleAuthnResponse] Unable to verify the signature. Please make sure that verification certificates are properly configured and not expired.
tid:A0ZYzWdkEKEJC-TrrDTSeq0TqaU WARN [org.sourceid.saml20.profiles.sp.HandleAuthnResponse] Invalid response: InMessageContext
XML: <saml2p:Response Destination="https://<PingFederate hostname>/sp/ACS.saml2" ID="_784fa437e965fc315381bacb9d65c3360079dd" InResponseTo="HgYfySezK9D9cB4WhLrYAclcCY0" IssueInstant="2022-10-03T17:11:36Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<customer's IDP></saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
....
....
entityId: https://<customer's IDP> (IDP)
virtualServerId: <ServerId>
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: 7tChCnvNCyoED1hK4e8RSjLvtPdn3E
SignatureStatus: UNVERIFIED
Signature comments: [(IDP) ::: https://<customer's IDP> has expired digital signature verification certificate 01:87:76:50:5E:58:AE:15:BB:8D:A5:BB:F3:74:E0:41. NotAfter: Tue Feb 23 12:00:00 GMT 2021]
Binding says to sign: true
-------------------------------------
(reference# WRDKXHWY) Unable to verify the signature. Please make sure that verification certificates are valid and properly configured
-------------------------------------
This is a printer-friendly version of Article 377842 and may be out of date. For the latest version click CS377842