SSO Authentication With Saml Fails With Validation Exceptions

(Doc ID 1350550.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle Weblogic Server - Version 10.3.5 and later
Information in this document applies to any platform.

Symptoms

First time SSO authentication works fine with the request flow:
Application URL -> Apache proxy -> WLS -> SAML IDP then goes back to server.

The error comes up when the request goes to the other node and it is trying to find information from the RDBMS store and fails as by default WebLogic uses the embedded LDAP.

####<Aug 10, 2011 10:58:14 AM BRT> <Debug> <SecuritySAML2Service> <xxxxx> <xxxxx> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <e0f9ede3d9a0a6d6:-49422a79:131b3f8cec8:-8000-0000000000000036> <1312984694750> <BEA-000000> <exception info
org.opensaml.xml.validation.ValidationException: [Security:096554]Can not find request for InResponseTo: _0x9dbbb990c8d73e9c4fa272c5b052311b in response.at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl$ResponseValidator.validateInResponseTo(AssertionConsumerServiceImpl.java:319)
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl$ResponseValidator.validate(AssertionConsumerServiceImpl.java:291)
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.verifyAttrAndEle(AssertionConsumerServiceImpl.java:273)
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.process(AssertionConsumerServiceImpl.java:113)
    at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:26)
    at $Proxy32.process(Unknown Source)
    at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3717)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms