Invalid property: Subject: SubjectConfirmation: REQUESTER, REQUESTDENIED

Problem


ServiceProviderServlet threw exception: "com.ubisecure.saml2.core.SAMLValidationException: Invalid property: Subject: SubjectConfirmation: REQUESTER, REQUESTDENIED"

Solution

Two possible solutions exist

  1. The SP is requesting an authentication method which the Application object cannot offer. A matching method for the request is not enabled for the application object. From the Application view, select Methods, tick one or more methods and press Update. Ensure that the Authentication Context and/or Authentication Class of the methods match those requested by the SP.
    If the methods view is empty, methods must be added to the site as permitted. Go to the Site view, select the Methods tab, click Add, and select the methods that should be available for selection for this site. After this, these methods will be visible in the Application -> Methods view.
  2. The IDP is seeing a different IP address than what the SP (or IDP Proxy is seeing).
    Compare the IP address in the SAML Response SubjectConfirmationData Address field to the IP address shown in square brackets at the beginning of the error message immediately before the text “MessageServer.frontChannelService”. If these values differ, it means that the IP address is different. For security reasons, responses are only accepted from the same IP address of the sender by default. Try again using a network configuration where the browser IP address does not change between services.
    If the network configuration is such that the browser IP address does change between services, this check can be disabled or loosened. To disable or widen the tolerance of this check for GlobalSign SSO, adjust the netmask setting in the win32.config/unix.config file and uas.properties file of the webapps/uas application. Netmask is described in the Ubisecure SSO Installation document. For SAML SP products, adjust netmask settings accordingly as per respective product installation guide.