Ticket validation error SAMLValidationException decodeRequest in SAML Request message

Owned by Keith Uber
2022-05-30
1 min read

If a Ticket Validation Error is shown to the user and the SSO diag log shows the following error:

SingleSignOnServlet: protocol.TicketProtocolException: Ticket validation error: com.ubisecure.saml2.core.SAMLValidationException: decodeRequest: urn:oasis:names:tc:SAML:2.0:status:Requester, urn:oasis:names:tc:SAML:2.0:status:RequestDenied

then increase the logging level of the server to show more information.

This error may indicate incorrectly encoded SAML messages, or correctly decoded SAML messages that do not comply with the SAML XML schema.

Examples of errors in a SAML request are:

Invalid encoding

Caused by: java.util.zip.ZipException: invalid code lengths set

The SAML request is not encoded correctly using DEFLATE and base64 encoding. See section 3.4.4.1 DEFLATE Encoding https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

Invalid id format

Caused by: com.ubisecure.saml2.core.SAMLValidationException: decodeRequest: urn:oasis:names:tc:SAML:2.0:status:Requester, urn:oasis:names:tc:SAML:2.0:status:RequestDenied Caused by: org.xml.sax.SAXParseException; lineNumber: 6; columnNumber: 106; cvc-datatype-valid.1.2.1: '4edd09f7-553e-4478-b33f-47922981c376' is not a valid value for 'NCName'.

The first character of the id element cannot contain a number in the NCName datatype. Changing to an alphabetic character or underscore resolves the issue.

Incorrect dateTime format

The value IssueInstant="2022-05-30T06:47:59" is missing a timezone component. Adding a Z to the end to indicate GMT resolves the issue. For example, changing the value to IssueInstant="2022-05-30T06:47:59Z" allows it to be processed. The SAML specification is ambiguous in this regard - all examples show the Z format for timezone expression, despite the text expressing that time zone is not to be used. It is believed that this is erroneously meaning time zone offset is not to be used. OASIS technical committee members have acknowledged the discrepancy but no errata has been issued.

Ubisecure Privacy Policy & Cookie Statement