SAML SP for Java reports handshake_failure during logout

Owned by Former user (Deleted)
Last updated: 2018-12-31
1 min read

Problem

SAML SP fails during logout with the following error:

com.ubisecure.saml2.sp.ServiceProviderException: INTERNAL_ERROR: com.ubisecure.saml2.core.SAMLException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Solution

This error indicates that SP tries to do a back channel logout using the SOAP SingleLogoutEndpoint described in the IDP Metadata of Ubisecure SSO, but fails to do a SSL/TLS handshake. This problem is caused by SAML SP for Java component trying to use SSLv3 when initiating the backchannel connection for the logout, but as SSLv3 is now obsolete, many servers refuse to create a connection with it and interrupt the handshake procedure instead.


Workaround is to disable backchannel logout functionality:

  1. Set LiteNoBackChannel compatibility flag in the Ubisecure SSO Management
  2. Restart Ubisecure SSO
  3. Copy new IDP metadata to the SP (replace \WEB-INF\saml2\sp\metadata\metadata.xml) and restart the java servlet.



Ubisecure Privacy Policy & Cookie Statement