"403 Forbidden" after Configuring SAML-Based Single Sign-On
(Doc ID 1090904.1)
Last updated on JULY 03, 2023
Applies to:
Oracle WebCenter Portal - Version 11.1.1.2.0 and laterInformation in this document applies to any platform.
Symptoms
WebCenter Spaces and Services were configured for SAML-based Single Sign-on following the formal documentation here.
When logging into WebCenter Spaces and click on the blog page, the following error is displayed in the browser:
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
If the SAML logs are enabled from the WebLogic Server Administration Console as follow:
Domain>Environment > Servers > WLS_Spaces > Debug > weblogic > security > saml - enable this logging.
Domain>Environment > Servers > WLS_Services > Debug > weblogic > security > saml - enable this logging.
Then the following errors appear in the WLS_Services.log file:
[...]
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Signature verification SUCCESS>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <Got signing certificate for signed object: CN=webcenter, DC=<COMPANYNAME>, DC=com>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Got keyinfo cert from response: CN=webcenter, DC=<COMPANYNAME>, DC=com>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Signing certificate is trusted>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743762> <BEA-000000> <SAMLDestinationSiteHelper: Invalid response -- recipient does not match request URL>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743763> <BEA-000000> <SAMLDestinationSiteHelper: Unable to validate response -- returning SC_FORBIDDEN>
<Debug> <SecuritySAMLService> <HOSTNAME> <WLS_Services1> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1270466743763> <BEA-000000> <SAMLSingleSignOnService.doACSGet: Failed to get SAML credentials -- returning>
<Info> <Health> <HOSTNAME> <WLS_Services1> <weblogic.GCMonitor> <> <> <> <1270466770878> <BEA-310002> <95% of the total memory in the server is free>
[...]
Changes
This error happens when there is a SSL Accelerator converting https to http between the SAML source and destination.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |