SAML authentication is failing due to invalid field format in SAML assertion. NetScaler is acting as IDP and SP is PingFederate
Article ID: CTX222546
Updated On:
Description
SAML authentication is failing due to invalid field format in SAML assertion.
Resolution
We Do not have any work Around for this . Solution is to upgrade the NetScaler firmware to the Below Versions which has a Fix .
When sending custom attributes from SAML IDP, we send xmlns for xsi and xsi='xs:string' to specify the attribute type. However, PingFederate complains that "xs" is undefined.
Testing internally, "xs" was always getting removed during canonicalization when tested with sharefile and samltool.com.
So, we are now removing xsi xmlns from attribute definition as SAML 2.0 spec does not mandate sending it. It says -'IdP MAY send it'.
Tested with sharefile, NS SP, and samltool.com
Problem Cause
SAML authentication is failing due to invalid field format in SAML assertion. NetScaler is acting as IDP and SP is PingFederateWhen sending custom attributes from SAML IDP, we send xmlns for xsi and xsi='xs:string' to specify the attribute type. However, PingFederate complains that "xs" is undefined.
Testing internally, "xs" was always getting removed during canonicalization when tested with sharefile and samltool.com.
So, we are now removing xsi xmlns from attribute definition as SAML 2.0 spec does not mandate sending it. It says -'IdP MAY send it'.
Tested with sharefile, NS SP, and samltool.com
Was this article helpful?
Yes
No
Powered by
