Reset Search
 

 

Article

KB40726 - SAML authentication fails with "FAILURE: No valid assertion found in SAML response DetailedLogs:Assertion Signature Verification Failed." due to response signing certificate from IDP (like Microsoft Azure) is changed periodically

« Go Back

Information

 
Last Modified Date6/29/2017 11:54 PM
Synopsis
This article describes an issue where SAML authentication fails and produces the message "FAILURE: No valid assertion found in SAML response DetailedLogs:Assertion Signature Verification Failed." in the event logs.
Problem or Goal
Recently Microsoft Azure (IDP) have been changing the response signing certificate every month.  If the response signing certificate is not updated properly on the PCS device, the error message will occur
FAILURE: No valid assertion found in SAML response DetailedLogs:Assertion Signature Verification Failed.

The PCS device administrators will need to update the metadata manually on the PCS device and choose the new certificate under SAML Auth server instance.
Cause
This issue can occur when one of the following conditions are met:
  • Uploading response signing certificate is expired or incorrect
  • Out of date or older metadata file is downloaded on the Pulse Connect Secure device
Solution
To resolve this issue, perform the following steps:
  1. Login to admin console
  2. Navigate to Configuration > SAML
  3. Under MetaData Provider, check the metadata location and confirm if it states remote or local
  4. If Local, click New Metadata Provider 
  5. In the Name field, enter a friendly name
  6. For location, select the radio button for Remote
  7. In the download url field, enter the federation URL to download the metadata.  For example, "https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml" 
  8. Navigate to Configuration > SAML 
  9. Click Settings
  10. For Validity of uploaded/downloaded Metadata file field, enter 1 day
  11. Navigate to Authentication > Auth Servers > SAML Auth server
  12. Under SSO Method, do not choose any certificate for Response signing certificate. If no certificate is selected, the certificate from the Metadata that is downloaded from Microsoft Azure will be used to decrypt the SAML Response.
Note : Make sure that Firewall rule/routing  is set appropriately on the network for the PCS device to communicate with Microsoft Azure to download metadata.
Related Links
Attachment 1 
Created ByRajkumar Tamilarasan

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255