My Oracle Support Banner

"403 Forbidden" after Configuring SAML-Based Single Sign-On (Doc ID 1090904.1)

Last updated on JULY 03, 2023

Applies to:

Oracle WebCenter Portal - Version and later
Information in this document applies to any platform.


WebCenter Spaces and Services were configured for SAML-based Single Sign-on following the formal documentation here.

When logging into WebCenter Spaces and click on the blog page, the following error is displayed in the browser:

Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden

If the SAML logs are enabled from the WebLogic Server Administration Console as follow:

Domain>Environment > Servers > WLS_Spaces > Debug > weblogic > security > saml - enable this logging.
Domain>Environment > Servers > WLS_Services > Debug > weblogic > security > saml - enable this logging.

Then the following errors appear in the WLS_Services.log file:

<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Signature verification SUCCESS>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <Got signing certificate for signed object: CN=webcenter, DC=<COMPANYNAME>, DC=com>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Got keyinfo cert from response: CN=webcenter, DC=<COMPANYNAME>, DC=com>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Signing certificate is trusted>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Invalid response -- recipient does not match request URL>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743763> <BEA-000000> <SAMLDestinationSiteHelper: Unable to validate response -- returning SC_FORBIDDEN>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743763> <BEA-000000> <SAMLSingleSignOnService.doACSGet: Failed to get SAML credentials -- returning>
 <Info> <Health> <HOSTNAME> <WLS_Services1> <weblogic.GCMonitor> <> <> <> <1270466770878> <BEA-310002> <95% of the total memory in the server is free>


This error happens when there is a SSL Accelerator converting https to http between the SAML source and destination.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.