1. Home
  2. Support
Article - CS419861

Not able to login to SSO enabled ThingWorx, SecurityLog shows Message not found in session error

Modified: 10-Jun-2024   


Applies To

  • ThingWorx Platform 9.2

Description

  • Unable to login to ThingWorx with SSO enabled, getting error on the browser screen
After enabled SSO, Showing below error while trying to access the application.
"The system is currently encountering an authentication configuration error. Close the browser and try to login again. If the problem persists, contact your system administrator."
  • AuthLog.log throws following error while trying to login using SSO
[O: o.s.s.s.l.SAMLDefaultLogger] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-8443-exec-1] AuthNResponse;FAILURE;30.22.9.64;TWX_SP;GlobalShopFloorToolsDev5;09236890;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a5c51f32d30ja98316086g7ac4c4idd__	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:139)__	at com.ptc.eauth.identity.saml2.PTCWebSSOProfileConsumerImpl.processAuthenticationResponse(PTCWebSSOProfileConsumerImpl.java:25)__	at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)__	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)__	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)__	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)__	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)__	at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:60)__	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)__	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)__	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)__	at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)__	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)__	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)__	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)__	at com.thingworx.security.authentication.sso.ThingworxSSOAuthenticator.authenticate(ThingworxSSOAuthenticator.java:849)__	at com.thingworx.security.authentication.sso.ThingworxSSOAuthenticator.validateAuthenticationRequest(ThingworxSSOAuthenticator.java:1382)__	at jdk.internal.reflect.GeneratedMethodAccessor80.invoke(Unknown Source)__	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)__	at java.base/java.lang.reflect.Method.invoke(Method.java:566)__	at com.thingworx.security.authentication.AuthenticationUtilities.validateSSOAuthenticationRequest(AuthenticationUtilities.java:664)__	at com.thingworx.security.authentication.AuthenticationUtilities.validateAuthenticationRequest(AuthenticationUtilities.java:619)__	at com.thingworx.security.authentication.AuthenticationFilter.authenticate(AuthenticationFilter.java:477)__	at com.thingworx.security.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:248)__	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)__	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)__	at com.thingworx.security.contenttype.ContentTypeFilter.doFilter(ContentTypeFilter.java:138)__	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)__	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)__	at com.thingworx.security.filter.ValidationFilter.doFilter(ValidationFilter.java:22)__	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)__	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)__	at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)__	at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)__	at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)__	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)__	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)__	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)__	at com.thingworx.security.filter.ClickjackFilter.doFilter(ClickjackFilter.java:208)__	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)__	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)__	at com.thingworx.security.filter.HttpResponseHeadersFilter.doFilter(HttpResponseHeadersFilter.java:172)__	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)__	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)__	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)__	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)__	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)__	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)__	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)__	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)__	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)__	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)__	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)__	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)__	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)__	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)__	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)__	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)__	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)__	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)__	at java.base/java.lang.Thread.run(Thread.java:829)__
  • SecurityLog.log shows two different Session IDs for one encoded message, encoded message getting stored into one session but ThingWorx trying to find it another session, hence the error shows that encoded message does not correspond to response 
    • [O: o.s.s.s.s.HttpSessionStorage] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-8080-exec-2] Storing message a3g6af8d578c80181e90ib9j0062435 to session 8B11EBBC8018067E70F0939840DFBCED
[O: o.o.s.b.d.HTTPPostDecoder] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-8443-exec-23] Decoded SAML message:_<samlp:Response Version="2.0" ID="SQHPq3nlwX1hy2TvcFge9yCB9Et" IssueInstant="2024-05-28T12:56:43.374Z" InResponseTo="a3g6af8d578c80181e90ib9j0062435" Destination="https://t01wap11525.corp.pep.tst:8443/Thingworx/saml/SSO" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">GlobalShopFloorToolsDev5</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#SQHPq3nlwX1hy2TvcFge9yCB9Et"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>cqx6aA4yX/Qfy/11xwD/Wf3JvbY4dCg/0k2Sb6qGxWw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>f8PkVrArQlLS/jKDRykLegkXmjL+qpAEy9k/OBjPQUnixJxWbjJa5Ldvf7aRVE6YP3BE8EPxBcCZMVKN34uFXo90CHuWxL+UQxkeLh/KWl+nWSpsx6SIK0MxTThP3jhSswM/76HQl2SCsn2M2dp2saJLyBTEd/AaUeBnnQ0oKD7KnS2TZ1TkhjFzV+KxuB+jKr6OV0C7IB6i6yUm/bwfcsQ4321PRVX4zmHBcEZLRo4CTbmkytaMtz74HDMMYfHL+Gnh/FSOrUsNOWryDh1IuGLcowx5ZUKz8ld5g0x8XRZ83PTH02tVWx/jys5Z1fYw9zU+eYIstY2qlYlT7thFPA==</ds:SignatureValue></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:En ...
[O: o.o.w.m.d.BaseMessageDecoder] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-8443-exec-23] Resultant DOM message was:_<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://t01wap11525.corp.pep.tst:8443/Thingworx/saml/SSO" ID="SQHPq3nlwX1hy2TvcFge9yCB9Et" InResponseTo="a3g6af8d578c80181e90ib9j0062435" IssueInstant="2024-05-28T12:56:43.374Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">GlobalShopFloorToolsDev5</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#SQHPq3nlwX1hy2TvcFge9yCB9Et"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>cqx6aA4yX/Qfy/11xwD/Wf3JvbY4dCg/0k2Sb6qGxWw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>f8PkVrArQlLS/jKDRykLegkXmjL+qpAEy9k/OBjPQUnixJxWbjJa5Ldvf7aRVE6YP3BE8EPxBcCZMVKN34uFXo90CHuWxL+UQxkeLh/KWl+nWSpsx6SIK0MxTThP3jhSswM/76HQl2SCsn2M2dp2saJLyBTEd/AaUeBnnQ0oKD7KnS2TZ1TkhjFzV+KxuB+jKr6OV0C7IB6i6yUm/bwfcsQ4321PRVX4zmHBcEZLRo4CTbmkytaMtz74HDMMYfHL+Gnh/FSOrUsNOWryDh1IuGLcowx5ZUKz8ld5g0x8XRZ83PTH02tVWx/jys5Z1fYw9zU+eYIstY2qlYlT7thFPA==</ds:SignatureValue></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org ...
[O: o.s.s.s.s.HttpSessionStorage] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-8443-exec-23] Message a3g6af8d578c80181e90ib9j0062435 not found in session 60D481146A1C733E6C6D8AD5FB58EC26
[O: o.s.s.s.l.SAMLDefaultLogger] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-8443-exec-23] AuthNResponse;FAILURE;30.22.9.64;TWX_SP;GlobalShopFloorToolsDev5;09236890;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a3g6af8d578c80181e90ib9j0062435__	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:139)__	at com.ptc.eauth.identity.saml2.PTCWebSSOProfileConsumerImpl.processAuthenticationResponse(PTCWebSSOProfileConsumerImpl.java:25)__	at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)__	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)__	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)__	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)__	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)__	at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:60)__	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)__	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)__	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)__	at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)__	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)__	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)__	at org.springframewo ...
[O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-8443-exec-23] [ Error validating SAML message ][ InResponseToField of the Response doesn't correspond to sent message a3g6af8d578c80181e90ib9j0062435 ]


       
This is a printer-friendly version of Article 419861 and may be out of date. For the latest version click CS419861