IBM Cloud Docs
Why did my SAML authentication request fail?

Why did my SAML authentication request fail?

You encounter issues with your SAML authentication.

Why can't my SAML message signature be validated?

When you test your application, you receive the following error message:

The SAML message signature could not be validated

This error occurs when App ID cannot verify the signature that is sent by SAML.

To resolve the issue, verify that you have Inbound Signature set to None in your configuration.

Why is the RelayState parameter missing from my authentication response?

The RelayState parameter is missing from your authentication response.

App ID sends an opaque parameter that is known as RelayState as part of the authentication request. If you do not see the parameter in your response, your identity provider might not be configured to return it correctly. The RelayState takes the following form.

https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=request&RelayState=token

Verify that your SAML provider is configured to return the RelayState parameter to App ID without modifying it in any way.

Why am I receiving an error about my Name ID?

When you send an authentication request, you receive an error that regards the NameID.

App ID, as the service provider, defines the way that users are identified by the service and by the identity provider. With App ID, users are identified in the NameID authentication request in the NameID field as shown in the following example.

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

To resolve the issue, be sure that your identity provider NameID is formatted as an email address. Verify that all the users in your identity provider registry have a valid email address format. Then, verify that the NameID field is correctly defined so that a valid email is always returned - even if users in your registry have multiple emails.

Failure to decrypt the response

You receive one of the following error messages in response to your authentication request.

Error message 1:

Unexpectedly received an encrypted assertion. Please enable response encryption in your {{site.data.keyword.appid_short_notm}} SAML configuration.

Error message 2:

Could not decrypt SAML assertion. Ensure your SAML provider is configured with the {{site.data.keyword.appid_short_notm}} encryption.

If your identity provider is configured to encrypt, App ID must be configured to sign the SAML authentication requests (AuthnRequest). Then, your identity provider must be configured to expect the corresponding configuration. You might receive these errors for one of the following reasons:

  • App ID is not configured to expect that the identity provider SAML response is encrypted.
  • App ID cannot correctly decrypt your assertions.

If you receive error message 1, verify that your SAML configuration is set to expect an encrypted response. By default, App ID does not expect the response to be encrypted. To configure encryption, set the encryptResponse parameter to true by using the API.

If you receive error message 2, ensure that your certificate is correct. You can obtain the signing certificate from the App ID metadata XML file. Be sure that you use the key with <KeyDescriptor use="signing">. Verify that your identity provider is configured to use `` as the signature signing algorithm.

Responder error code

When you send an authentication request, you receive the following generic error message:

urn:oasis:names:tc:SAML:2.0:status:Responder

Although App ID sends the initial authentication request, the identity provider must perform the user authentication and return the response. There are several reasons that might cause your identity provider to produce this error message.

You might see the message if your identity provider:

  • Cannot find or verify the username.
  • Does not support the NameID format that is defined in the authentication request (AuthnRequest).
  • Does not support the authentication context.
  • Requires the authentication request to be signed or use a specific algorithm in the signature.

To resolve the issue, verify your configuration and username. Verify that you have the correct authentication context and variables defined. Check to see whether your request needs to be signed in a specific way.

Unsupported authentication request

You receive a message about an unsupported authentication request.

When App ID generates an authentication request, it can use the authentication context to request the quality of the authentication and SAML assertions.

To resolve the issue, you can update your authentication context. By default, App ID uses the authentication class urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport and comparison exact. You can update the context parameter to fit your use case by using the APIs.

SAML request signing failure

You receive an error that states that an authentication request cannot be verified.

App ID can be configured to sign the SAML authentication request (AuthNRequest), but your identity provider must be configured to expect the corresponding configuration.

To resolve the issue:

  • Verify that IBM Cloud is configured to sign the authentication request by setting the signRequest parameter to true by using the set SAML IdP API. You can check to see whether your authentication request is signed by looking at the request URL. The signature is included as a query parameter. For example, https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=request&SigAlg=value&Signature=value&RelayState=token

  • Verify that your identity provider is configured with the correct certificate. To obtain the signing certificate, check the IBM Cloud metadata XML file that you downloaded from the IBM Cloud dashboard. Ensure that you use the key with <KeyDescriptor use="signing">.

  • Verify that your identity provider is configured to use `` as the signing algorithm.