XML Parsing Error when attempting SP-initiated Single Sign-On with RSA SecurID Cloud Authentication Service

2 years ago

Originally Published: 2018-03-08

Article Number

000040821

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service, Identity Router

Issue

A SAML assertion unexpectedly contains no InResponseTo field and is rejected by the requesting Service Provider.

The IDR's /var/log/symplified.log contains errors similar to the example below.

018-02-28/01:38:36.855/UTC [ajp-bio-8009-exec-8] WARN com.symplified.adapter.api.ApplianceAuthenticationConfig[289] - Problem casting Config Component to Boolean
...
2018-02-28/01:38:36.913/UTC [ajp-bio-8009-exec-8] ERROR net.shibboleth.utilities.java.support.xml.BasicParserPool[50] - XML Parsing Error
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.

Cause

The SAML Binding Method (POST or Redirect) is configured inconsistently between the Service Provider (SP) and the Cloud Authentication Service's application configuration.
The IDR rejects the SAML authentication request and treats the scenario as IdP-initiated (thus no InResponseTo field).

Resolution

Ensure that the SAML binding method that the 3rd Party application (SP) is using (POST or Redirect) is also configured in the Administration Console Application -> My Applications -> Edit -> Connection Profile -> Binding Method for SAML Request.

Notes

Alternatively, configuring the 3rd Party application as a Relying Party will not encounter this issue as incoming SAML requests are processed with either SAML binding method.
Reference the section on Relying Parties in the RSA SecurID Access Cloud Authentication Service documentation.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles