Solutions
ForgeRock Identity Platform
ForgeRock Identity Cloud

SAML2 federation fails with an Invalid Assertion Consumer Location specified error in Identity Cloud or AM (All versions)

Last updated Jul 8, 2021

The purpose of this article is to provide assistance if the SAML2 federation flow fails with an "Unable to obtain SAML response com.sun.identity.saml2.common.SAML2Exception: Invalid Assertion Consumer Location specified" error in Identity Cloud or AM.


Symptoms

When Identity Cloud or AM is acting as the hosted service provider (SP), the SAML federation flow fails upon receiving the SAML response with a 500 Internal Server Error and you will see the following message in the browser:

Server Error An error occurred on the server and it is unable to complete the request. Please try again later.

You will see the following error in the Identity Cloud debug logs when this happens:{"context"=>"default", "level"=>"DEBUG",  "logger"=>"com.sun.identity.saml.common.SAMLUtils",  "message"=>"SAMLUtils.sendError: error page /saml2/jsp/saml2error.jsp",  "thread"=>"http-nio-8080-exec-1",  "timestamp"=>"2021-06-10T11:07:41.597Z",  "transactionId"=>nil} {"context"=>"default",  "exception"=>  "com.sun.identity.saml2.common.SAML2Exception: Invalid Assertion Consumer Location specified\n" +  "\tat com.sun.identity.saml2.common.SAML2Utils.verifyAssertionConsumerServiceLocation(SAML2Utils.java:4176)\n" +  "\tat com.sun.identity.saml2.profile.SPACSUtils.getResponse(SPACSUtils.java:182)\n" +  "\tat org.forgerock.am.saml2.impl.Saml2Proxy.getUrl(Saml2Proxy.java:155)\n" +  "\tat org.forgerock.am.saml2.impl.Saml2Proxy.processSamlResponse(Saml2Proxy.java:106)\n" +  "\tat org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:119)\n" + ...  "level"=>"ERROR",  "logger"=>"org.forgerock.am.saml2.impl.Saml2Proxy",  "message"=>"SAML2Proxy: Unable to obtain SAML response",  "thread"=>"http-nio-8080-exec-1",  "timestamp"=>"2021-06-10T11:07:41.598Z",  "transactionId"=>nil} "org.apache.jasper.JasperException: An exception occurred processing [/saml2/jsp/saml2AuthAssertionConsumer.jsp] at line [30]\n" + "\n"

You will see the following error in the AM Authentication debug log when this happens: o.f.a.s.i.Saml2Proxy: 2021-06-10 11:07:24,273: Thread[https-jsse-nio-8443-exec-9]: TransactionId[] ERROR: SAML2Proxy: Unable to obtain SAML response com.sun.identity.saml2.common.SAML2Exception: Invalid Assertion Consumer Location specified [CONTINUED] at com.sun.identity.saml2.common.SAML2Utils.verifyAssertionConsumerServiceLocation(SAML2Utils.java:4176) [CONTINUED] at com.sun.identity.saml2.profile.SPACSUtils.getResponse(SPACSUtils.java:182) [CONTINUED] at org.forgerock.am.saml2.impl.Saml2Proxy.getUrl(Saml2Proxy.java:155) [CONTINUED] at org.forgerock.am.saml2.impl.Saml2Proxy.processSamlResponse(Saml2Proxy.java:106) [CONTINUED] at org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:119)You will see the following failed status in the AM access.audit.json log:"request":{"protocol":"SAML2","operation":"spAssertionConsumer"},"timestamp":"2021-06-10T11:12:28.641Z","eventName":"AM-ACCESS-OUTCOME","response":{"status":"FAILED","statusCode":null,"elapsedTime":1127,"elapsedTimeUnits":"MILLISECONDS","detail":{"reason":"Invalid Assertion Consumer Location specified"}}

Recent Changes

Changed the Base URL Source service configuration.

Updated the Assertion Consumer Service Location URLs.

Upgraded to, or installed AM 6.5.3 or later.

Causes

This error can happen for a number of reasons, including, but not limited to:

  • Identity Cloud and later versions of AM check that the URLs specified in the Assertion Consumer Service exactly match the SP's scheme, FQDN and port for improved security. If the URL does not exactly match, the SAML flow fails with the Invalid Assertion Consumer Location specified error. This check is only performed when Identity Cloud or AM is acting as the hosted SP.

See Release Notes › Important Changes in AM 6.5.3 (SAML v2.0 Assertion Consumer Service URLs Must Exactly Match) for further information.

  • The Assertion Consumer Service URL includes a query parameter. This is a known issue: OPENAM-16881 (SAML federation library stopped supporting ACS URLs with query parameters), which is resolved in AM 7.0.2.
  • The location of the Assertion Consumer Service is incorrect.
  • Identity Cloud or AM is not configured to accept requests from the Assertion Consumer Service hostname.
  • AM is behind a load balancer or reverse proxy, which is doing SSL Offloading.

There is a known issue with logging in earlier AM versions, which means this error is shown without additional context: OPENAM-16998 (Poor logging around failures "Invalid Assertion Consumer Location specified"). Logging is improved in AM 7.0.2.

Solution

This issue can be resolved by ensuring your configuration is correct:

  1. Navigate to the Assertion Consumer Service:
    • Identity Cloud console: Native Consoles > Access Management > Applications > Federation > Entity Providers > [Service Provider Name] > Services > Assertion Consumer Service.
    • AM console: Realms > [Realm Name] > Applications > Federation > Entity Providers > [Service Provider Name] > Services > Assertion Consumer Service.
  2. Check the Assertion Consumer Service URLs match the SP's scheme, FQDN and port. Typically, the URLs are correct but may be missing the port, which is required. If you are using a default port (443 or 80), you should still specify it to ensure the URLs match (unless you are using AM 7.0.2 and later, which assumes default ports if they're not specified).
  3. Check your URLs do not include any query parameters in pre-AM 7.0.2. If they do, you need to replace them, using URL rewriting or similar.
  4. Check the location of the Assertion Consumer Service is correct depending on how you have implemented SSO and SLO:
    • If you are using journeys in Identity Cloud, or trees or chains in AM (Integrated Mode), the location of the HTTP-Artifact consumer service should use AuthConsumer (instead of the default Consumer).
    • If you are using JSP pages (Standalone Mode) in AM, the location of the HTTP-Artifact consumer service should use Consumer (default location).

See Implementing SAML v2.0 Single Sign-On in Integrated Mode (Journeys)AM SSO and SLO in Integrated Mode and AM SSO and SLO in Standalone Mode for further information.

  1. Check the Base URL Source service is configured correctly to accept requests from the hostname specified in the Assertion Consumer Service URL:
    • Identity Cloud console: navigate to: Native Consoles > Access Management > Services > Base URL Source.
    • AM console: navigate to: Realms > [Realm Name] > Services > Base URL Source.

See Configuring the Base URL Source Service for further information.

  1. Share your updated metadata, if needed, with the IdP by exporting the metadata to an XML file or by providing a URL as detailed in How do I export and import SAML2 metadata in Identity Cloud? or How do I export and import SAML2 metadata in AM (All versions)?
Note

If AM is behind a load balancer or reverse proxy, which is doing SSL offloading, you must configure Apache Tomcat™ and the Base URL Source Service appropriately to honor the X-Forwarded-Proto header set by the load balancer or proxy. See AM (All versions) redirects to HTTP when deployed on Apache Tomcat with a load balancer doing SSL/TLS offloading for further information. Additionally, you should ensure your load balancer or proxy is configured to add the X-Forwarded-Proto header to the request.

See Also

Identity Cloud Implementing SSO and SLO

AM Implementing SSO and SLO

Related Training

N/A

Related Issue Tracker IDs

OPENAM-17675 (Improve guidance around SAML2 ACS validation)

OPENAM-16998 (Poor logging around failures "Invalid Assertion Consumer Location specified")

OPENAM-16988 (accessedEndpoint including port causes verify Assertion Consumer URL to fail)

OPENAM-16881 (SAML federation library stopped supporting ACS URLs with query parameters)

OPENIG-5405 (Provide access to the originalUri value when processing SAML2 requests)



Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...