Ticket validation error: Invalid Property: AuthnRequest: Signature: REQUESTER for unsigned SAML requests

Owned by Former user (Deleted)
Last updated: 2024-02-19 by Shraddha Shejawal
1 min read

Problem

Browser or log shows error: Ticket validation error: Invalid Property: AuthnRequest: Signature: REQUESTER

Solution

  • A Service Provider is attempting to request authentication using an unsigned SAML message. Consider first is this desirable. Typically AuthnRequests are signed to ensure the sender is legitimate. Request that the SP enables AuthnRequest signing.
  • If the SP can not comply, to forcibly disable rejection of unsigned messages, add the following option to the agent configuration in Ubisecure SSO Management application.

Compatibility Flags: AuthnRequestValidate

  • After pressing Update, disable and re-enable the application to ensure the configuration is made active.
  • For a SAML service provider to send an unsigned request, the SP metadata must not contain a signing key.
  • If the following error occurs

com.ubisecure.saml2.core.SAMLValidationException: Invalid property: AuthnRequest: Signature: urn:oasis:names:tc:SAML:2.0:status:Requester, urn:oasis:names:tc:SAML:2.0:status:RequestDenied

verify that the service metadata has no <KeyDescriptor use="signing"> element. If found, redact the signing key and activate the service provider again by uploading the redacted metadata.

  • In case of unsigned SMA requests, even after adding the Compatibility Flags: AuthnRequestValidate in SSO Management Application, the error persists, then check saml authn request “Issuer” attribute value and SAML metadata entityID attribute value are matching.  A mismatch in these two values can cause the mentioned error. 



Ubisecure Privacy Policy & Cookie Statement