When login library from ADFS using SAML authentication, below error shows:
“Authentication Error: Your login has been denied by the system.”
There is below entry in SSO log:
{"@timestamp":"2023-03-09T13:44:39.385Z","@version":"1","message":"RestError [code=ERR003, iServerErrorCode=0, message=Login failed, httpStatusCode=401, ticketId=5206e602e77e465fa26a295098775611]","logger_name":"com.Strategy.auth.saml.SAMLLoginFailureHandler","thread_name":"https-openssl-nio-8443-exec-7","level":"ERROR","level_value":40000,"stack_trace":"org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException: No assertions found in response.urn:oasis:names:tc:SAML:2.0:status:Responder
This is due to we upgraded org.opensaml from v2.6.7 to v.4.1.0 and replaced the spring-security-saml2-core framework with the newer, more secure, spring-security-saml2-service-provider v5.5.3 since Strategy 2021 Update 4.
While signed assertion is a must-have for v5.5.3, see here:
https://docs.spring.io/spring-security/site/docs/5.3.3.RELEASE/reference/html5/#servlet-saml2-login-feature-set
13.1.3. Saml 2 Login - Current Feature Set
3. Requires the assertion to be signed unless the response is signed.
Add
WantAuthnRequestsSigned="true"in IdPMetadata.xml:
See more here: https://www2.Strategy.com/producthelp/current/SystemAdmin/WebHelp/Lang_1033/Content/saml_sign_auth_requests.htm