HTTP Status 401 - Authentication Failed:Error validating SAML message

[raad]

Hello,

I have modified the web example of saml to hook unti Shibboleth 2.3.5 as an IDP. Everything is running on one machine. For Authentication, used ldap with one user to authenticate against. Everything works and and I get the login screen to enter my credentials. After entering correcrt credentials, the logs do show that I get authenticated and a principal is created. Bt then I get the message in the title above "HTTP Status 40 -..." in the browser.
Here is a snapshot the Shibboleth's log before sending the message back to user:

12:37:43.747 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessa geDecoder:191] - Checking SAML message intended destination endpoint against receiver endpoint
12:37:43.747 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessa geDecoder:210] - Intended message destination endpoint: https://127.0.0.1:8443/idp/profile/S...factResolution
12:37:43.747 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessa geDecoder:211] - Actual message receiver endpoint: https://127.0.0.1:8443/idp/profile/S...factResolution
12:37:43.747 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessa geDecoder:219] - SAML message intended destination endpoint matched recipient endpoint
12:37:43.748 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.sa ml2.ArtifactResolution:189] - Decoded request from relying party 'http://localhost:7070/spring-security-saml2-sample/saml/metadata/alias/defaultAlias'
12:37:43.748 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetad ataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.748 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:518] - Searching for entity descriptor with an entity ID of http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.748 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.748 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetad ataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.748 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:518] - Searching for entity descriptor with an entity ID of http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.748 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetad ataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.749 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:518] - Searching for entity descriptor with an entity ID of http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.749 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.749 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetad ataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.749 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:518] - Searching for entity descriptor with an entity ID of http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.749 - DEBUG [edu.internet2.middleware.shibboleth.common.relying party.provider.SAMLMDRelyingPartyConfigurationMana ger:128] - Looking up relying party configuration for http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.749 - DEBUG [edu.internet2.middleware.shibboleth.common.relying party.provider.SAMLMDRelyingPartyConfigurationMana ger:134] - No custom relying party configuration found for http://localhost:7070/spring-securit...s/defaultAlias, looking up configuration based on metadata groups.
12:37:43.749 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetad ataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.750 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:518] - Searching for entity descriptor with an entity ID of http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.750 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.750 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetad ataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.750 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:518] - Searching for entity descriptor with an entity ID of http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.751 - DEBUG [edu.internet2.middleware.shibboleth.common.relying party.provider.SAMLMDRelyingPartyConfigurationMana ger:157] - No custom or group-based relying party configuration found for http://localhost:7070/spring-securit...s/defaultAlias. Using default relying party configuration.
12:37:43.751 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetad ataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: https://127.0.0.1/idp/shibboleth
12:37:43.751 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetad ataProvider:518] - Searching for entity descriptor with an entity ID of https://127.0.0.1/idp/shibboleth
12:37:43.751 - DEBUG [org.opensaml.common.binding.artifact.BasicSAMLArti factMap:128] - Attempting to retrieve entry for artifact: AAQAAnn4WhDqEEyMi9zpDMPcDuZd03dBaGjR9wA8pcm6VrZ0wq 8DskqeiNc=
12:37:43.752 - DEBUG [org.opensaml.common.binding.artifact.BasicSAMLArti factMap:142] - Found valid entry for artifact: AAQAAnn4WhDqEEyMi9zpDMPcDuZd03dBaGjR9wA8pcm6VrZ0wq 8DskqeiNc=
12:37:43.753 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Ab stractSAMLProfileHandler:778] - Encoding response to SAML request a41bih828bib41ib598f79399d3jd26 from relying party http://localhost:7070/spring-securit...s/defaultAlias
12:37:43.753 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder :49] - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponse Adapter
12:37:43.754 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPSOAP11Enco der:132] - Building SOAP message
12:37:43.754 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPSOAP11Enco der:141] - Adding SAML message to the SOAP message's body
12:37:43.754 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder :97] - Marshalling message
12:37:43.760 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder :56] - Successfully encoded message.
12:37:43.760 - INFO [Shibboleth-Audit:970] - 20120130T173743Z|urn:oasis:names:tc:SAML:2.0:bindi ngs:SOAP|a41bih828bib41ib598f79399d3jd26|http://localhost:7070/spring-securit...17e58aa4||||||

[raad]

This problem is solved.

[henrikab]

Hi,

I'm running into what seems to be the exact same problem, how did you resolve your issue?

[henrikab]

We now resolved our problem as well.
Turned out that we had a filter in place that blocked the SOAP communication from ADFS server from reading our metadata.

[duybinh0208]

Can you explain it to me for more detail?. I have a problem like this: I can do SSO on localhost but when I deploy my project to real server (on the internet) it does not work and return 401 error. Please help me for this problem.