Federation Security Services Guide › Troubleshooting › SAML 2.0-Only Issues › SP Not Authenticating When Accessing Assertion Retrieval Service

SP Not Authenticating When Accessing Assertion Retrieval Service

Symptom:

In an environment using SAML 2.0 artifact single sign-on, the Service Provider fails to authenticate when attempting to access the Artifact Resolution Service at the Identity Provider.

Error messages similar to the following appear in the Federation Web Service log file:

May 23, 2005 4:43:51.479 PM[31538514:E] SAML producer returned error http status code. HTTP return status: 401. Message: <HTML><HEAD><TITLE>401: Access Denied</TITLE></HEAD><BODY><H1>401: Access Denied</H1>
Proper authorization is required for this area. Either your browser does not perform authorization, or your authorization has failed.</BODY></HTML>

Solution:

Depends upon the configured authentication:

• If Basic authentication is configured, ensure that the Name and Password values specified in the Service Provider Properties dialog at the IdP match the Affiliate Name and Password values configured for the SAML 2.0 authentication scheme at the SP.
• If client certificate authentication is configured to protect the Artifact Resolution Service, ensure that the Service Provider's client certificate is valid and that it is in the Service Provider's AM.keystore database. Additionally, ensure that the Certificate Authority that issued the client certificate is in the Web server's own key database at the Identity Provider.
• If no authentication is configured, ensure that the Artifact Resolution Service URL is not protected.