SSO fails with invalidsso error on update of new Idp metedata

While setting up sso sometime you may get invalidsso error, This is generic error and can occur due to multiple reasons of saml response validation failure and most common reasons are:

  1. User email returned doesn’t match with user present in harness.
  2. The response was correct but saml Issuer and Referer was diffrent

Capturing SAML tracer while performing login will help us to isolate the issue, You can use chrome extension to capture the saml trace

Once SAML trace is captured you can review that using any editor, so below is one of the sample saml trace:

<saml:NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">[email protected]</saml:NameID>
<saml:Attribute Name=\"Email_Address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"><saml:AttributeValue xsi:type=\"xs:string\">[email protected]</saml:AttributeValue></saml:Attribute>

You can review the email and other details if that looks good but still you are seeing the invalidsso then you can check the actual response and search for invalidsso in saml trace and compare the Issuer and Referer url to check if both matches as both can be different and this commonly happen if your Idp is using vanity url or behind any proxy.

Saml response invalidsso error:

 "get": [ [
          "errorCode",
          "invalidsso"
        ]],
 {
          "name": "Referer",
          "value": "https://vanityurl.com/"
}
<saml:Issuer>https://IdpUrlInMetadata/saml2/sp/ID/metadata</saml:Issuer>

If you download the metadata from any provider(Single Sign-On (SSO) with SAML - Harness.io Docs) that will have Issuer and Referer url as same. But as per saml trace we have seen both are diffrent then you need to update the metadata file manually.

Below is sample metadata file

<md:EntityDescriptor xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
**entityID="https://Issuer/saml2/sp/ID/metadata">**
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>....trimmed......
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    **<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Issuer/saml2/sp/ID/sso"/>**
**    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://Issuer/saml2/sp/ID/sso"/>**
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

So as you can see it has Issuer address in both entity as well as binding location.

So to fix above Issuer/Referer mismatch issue, you need to update the binding location as referrer address and entity as Issuer(Which will ideally correct by default), so updated metadata file will look something like below:

<md:EntityDescriptor xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
**entityID="https://Issuer/saml2/sp/ID/metadata">**
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>....trimmed......
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    **<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Referer/saml2/sp/ID/sso"/>**
**    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://Referer/saml2/sp/ID/sso"/>**
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Once you have updated the metadata, save this and try uploading this new metadata file and test the behaviour

2 Likes