Australian Access Federation Support Desk

Unable to locate satisfiable bearer SubjectConfirmation in assertion

by Dean Nottingham Follow

User sees IdP logging such as:
2010-05-25 14:36:12 ERROR OpenSAML.SecurityPolicyRule.BearerConfirmation
[5]: bearer confirmation failed with recipient mismatch
2010-05-25 14:36:12 WARN Shibboleth.SSO.SAML2 [5]: detected a problem with
assertion: Unable to locate satisfiable bearer SubjectConfirmation in


This relates directly to SSL offloading via Layer 7 switches or similar.

An example subject confirmation:

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Address="" InResponseTo="_1253d4aadec1143fe542a6adfbd06206" NotOnOrAfter="2010-05-25T06:09:49.050Z" Recipient=""/>

The recipient the IDP is sending an enityID of ''. Due to offloading the local shibboleth daemon is generating a comparison string of '' (note the lack of S). This doesn't match up obviously and the assertion is discarded.

So how to fix?

You'll need to change your "ServerName" entry

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful


Powered by Zendesk