Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Problem

SAML SP fails during logout with the following error:

com.ubisecure.saml2.sp.ServiceProviderException: INTERNAL_ERROR: com.ubisecure.saml2.core.SAMLException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Solution

This error indicates that SP tries to do a back channel logout using the SOAP SingleLogoutEndpoint described in the IDP Metadata of Ubisecure SSO, but fails to do a SSL/TLS handshake. This problem is caused by SAML SP for Java component trying to use SSLv3 when initiating the backchannel connection for the logout, but as SSLv3 is now obsolete, many servers refuse to create a connection with it and interrupt the handshake procedure instead.


Workaround is to disable backchannel logout functionality:

  1. Set LiteNoBackChannel compatibility flag in the Ubisecure SSO Management
  2. Restart Ubisecure SSO
  3. Copy new IDP metadata to the SP (replace \WEB-INF\saml2\sp\metadata\metadata.xml) and restart the java servlet.



  • No labels

Ubisecure Privacy Policy & Cookie Statement