Ticket validation error SAMLValidationException decodeRequest in SAML Request message
If a Ticket Validation Error is shown to the user and the SSO diag log shows the following error:
SingleSignOnServlet: protocol.TicketProtocolException: Ticket validation error: com.ubisecure.saml2.core.SAMLValidationException: decodeRequest: urn:oasis:names:tc:SAML:2.0:status:Requester, urn:oasis:names:tc:SAML:2.0:status:RequestDenied
then increase the logging level of the server to show more information.
This error may indicate incorrectly encoded SAML messages, or correctly decoded SAML messages that do not comply with the SAML XML schema.
Examples of errors in a SAML request are:
Invalid encoding
Caused by: java.util.zip.ZipException: invalid code lengths set
The SAML request is not encoded correctly using DEFLATE and base64 encoding. See section 3.4.4.1 DEFLATE Encoding https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
Invalid id format
Caused by: com.ubisecure.saml2.core.SAMLValidationException: decodeRequest: urn:oasis:names:tc:SAML:2.0:status:Requester, urn:oasis:names:tc:SAML:2.0:status:RequestDenied
Caused by: org.xml.sax.SAXParseException; lineNumber: 6; columnNumber: 106; cvc-datatype-valid.1.2.1: '4edd09f7-553e-4478-b33f-47922981c376' is not a valid value for 'NCName'.
The first character of the id element cannot contain a number in the NCName datatype. Changing to an alphabetic character or underscore resolves the issue.
Incorrect dateTime format
The value IssueInstant="2022-05-30T06:47:59" is missing a timezone component. Adding a Z to the end to indicate GMT resolves the issue. For example, changing the value to IssueInstant="2022-05-30T06:47:59Z" allows it to be processed. The SAML specification is ambiguous in this regard - all examples show the Z format for timezone expression, despite the text expressing that time zone is not to be used. It is believed that this is erroneously meaning time zone offset is not to be used. OASIS technical committee members have acknowledged the discrepancy but no errata has been issued.