"403 Forbidden" after Configuring SAML-Based Single Sign-On (Doc ID 1090904.1)

Last updated on NOVEMBER 10, 2016

Applies to:

Oracle WebCenter Portal - Version 11.1.1.2.0 and later
Information in this document applies to any platform.
Checked for relevance on 20-Aug-2014

Symptoms


WebCenter Spaces and Services were configured for SAML-based Single Sign-on following the formal documentation here.

When loging into WebCenter Spaces and click on the blog page, the following error is displayed in the browser:

Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden



If the SAML logs are enabled from the WebLogic Server Administration Console as follow:


Domain>Environment>Servers>WLS_Spaces>Debug>weblogic>security>saml - enable this logging.
Domain>Environment>Servers>WLS_Services>Debug>weblogic>security>saml - enable this logging.

Then the following errors appear in the WLS_Services.log file:

[...]
<Debug> <SecuritySAMLService> <myserver.oracle.com> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Signature verification SUCCESS>
<Debug> <SecuritySAMLService> <myserver.oracle.com> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <Got signing certificate for signed object: CN=webcenter, DC=oracle, DC=com>
<Debug> <SecuritySAMLService> <myserver.oracle.com> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Got keyinfo cert from response: CN=webcenter, DC=oracle, DC=com>
<Debug> <SecuritySAMLService> <myserver.oracle.com> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Signing certificate is trusted>
<Debug> <SecuritySAMLService> <myserver.oracle.com> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Invalid response -- recipient does not match request URL>
<Debug> <SecuritySAMLService> <myserver.oracle.com> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743763> <BEA-000000> <SAMLDestinationSiteHelper: Unable to validate response -- returning SC_FORBIDDEN>
<Debug> <SecuritySAMLService> <myserver.oracle.com> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743763> <BEA-000000> <SAMLSingleSignOnService.doACSGet: Failed to get SAML credentials -- returning>
 <Info> <Health> <iiaherwc01t.oracle.com> <WLS_Services1> <weblogic.GCMonitor> <> <> <> <1270466770878> <BEA-310002> <95% of the total memory in the server is free>
[...]

Changes

This error happens when there is a SSL Accelerator converting https to http between the SAML source and destination.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms