Australian Access Federation Support Desk

Unable to locate satisfiable bearer SubjectConfirmation in assertion

by Dean Nottingham Follow

User sees IdP logging such as:
2010-05-25 14:36:12 ERROR OpenSAML.SecurityPolicyRule.BearerConfirmation
[5]: bearer confirmation failed with recipient mismatch
2010-05-25 14:36:12 WARN Shibboleth.SSO.SAML2 [5]: detected a problem with
assertion: Unable to locate satisfiable bearer SubjectConfirmation in
assertion.

Cause:

This relates directly to SSL offloading via Layer 7 switches or similar.

An example subject confirmation:

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Address="131.181.125.115" InResponseTo="_1253d4aadec1143fe542a6adfbd06206" NotOnOrAfter="2010-05-25T06:09:49.050Z" Recipient="https://mysqp.example.com.au/Shibboleth.sso/SAML2/Artifact"/>
</saml:SubjectConfirmation>

The recipient the IDP is sending an enityID of 'https://mysqp.example.com.au'. Due to offloading the local shibboleth daemon is generating a comparison string of 'http://mysqp.example.com.au' (note the lack of S). This doesn't match up obviously and the assertion is discarded.

So how to fix?

http://httpd.apache.org/docs/2.2/mod/core.html#servername

You'll need to change your "ServerName" entry
FROM: http://mysp.example.com.au
TO: https://mysp.example.com.au

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk