Skip to main content

The credentials you provided cannot be determined to be authentic.

Problem

When setting up SAML2 for the Platform users receive the error "The credentials you provided cannot be determined to be authentic." In the igrafx_server.log file you will see lines like:

2017-02-16 17:26:17 DEBUG SAMLUtil - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@4ce4a40b for request URL https://xxxx based on location attribute in metadata 2017-02-16 17:26:17 DEBUG SAMLAuthenticationProvider - Error validating SAML message org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:446) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)

Solution

This error happens when SAML's Relaying Party is set to RSA-SHA256. It needs to be set to SHA-1. Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1.

Details
Related issues