End users are unable to log in to their Application Portal or perform SSO login to applications with IWA. When the users try to log in using their usernames and passwords they succeed, thus it is not an issue with the portal itself.
The User Event Monitor shows the following messages:
User ID: unknown
Description: Portal logon failed - Authentication failed.
Authentication Details: {"additionalText":"{MESSAGE=Idp login failed. There was trouble processing the idp request., USERID=unknown, USERNAME=unknown, NOT_AUTHNED_REASON=Unable to authenticate with the credentials you provided. Please try again., RESULT=NOT_AUTHENTICATED}"}
The following error is seen in the IDR logs:
ERROR com.symplified.platform.webservice.WebServiceApiSecurityUtils[268] - No Authorization header Present
.
.
.
Caused by: org.opensaml.xmlsec.signature.support.SignatureException: Signature cryptographic validation not successful
There is a mismatch between the certificate the IWA server and what is uploaded for the IWA connection in the Cloud Administration Console.
The customer must generate a new .pem and a corresponding .pfx and upload them. Alternatively, the steps that are shown in article
000035019 - Signature cryptographic validation not successful error for all RSA SecurID Access integrated Windows Authentication (IWA) attempts can be used to generate the new key pair from the Cloud Administration Console.
