WSO2 Identity Server fails to perform authentication SAML2.0 consumer URL not reachable
We are using WSO2 Identity Server 4.6.0 for SAML 2.0 based Single Sign-On.
The authentication was working fine when the Assertion Consumer URL of the service provider was directly "accessible" (network connectivity) from the WSO2 IS node.
However, I get an error if I register a New Service Provider with an Assertion Consumer
URL which is not directly reachable from the Identity provider : WSO2 IS , but accessible
from the requesting user agent i.e. browser.
The User Agent request gets redirectd to the WSO2 IS (login,do?SAMLRequest=nZP... )
But the POST /commonauth failed with the following returned Status code 302 and Location header Location: authenticationendpoint/samlsso_notification.do?status=Error when processing the authentication request!&statusMsg=The message was not recognized by the SAML 2.0 SSO Provider. Please check the logs for more details
For example the Assertion Consumer URL provisionned was refering to a private ip address only accessible from the requesting browser).
I also tried to provide a hostname instead without success.
Here below is the error we get from the WSO2 IS logs :
TID: [0] [IS] [2014-06-10 17:54:52,344] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - The value of sessionDTO is null. This could be due to the hostname settings {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
From the browser :
SAML2.0 based Single Sign On
Any idea why the autentication request failed and why the SSO provider complains about "unrecognized message".
Thanks for your support
JS
