You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Access Management Framework > SAML Single Sign-on > Investigating a “No valid assertion found in SAML response” Error

Investigating a “No valid assertion found in SAML response” Error

Problem Description: SAML is a time sensitive protocol. The time-based validity of a SAML assertion is determined by the SAML identity provider. If the SAML identity provider and SAML service provider clocks are askew, the assertion can be determined invalid, and authentication fails.
Environment: In the scenario described here, the system is deployed as a SAML service provider in a SAML 2.0 deployment.

In this scenario, the following error is returned to the user after the user has submitted credentials to the SAML identity provider:

"SAML Transferred failed. Please contact your system administrator.

Detail: Failure: No valid assertion found in SAML response."

Cause: To investigate the error:
  1. Select Maintenance > Troubleshooting > Monitoring > Debug Logs to display the Debug Log configuration page, shown in Figure 33.

    Figure 33: Debug Log Page

  1. Turn debug logging on, set Debug Log Detail Level to 10, and Event Codes to saml.
  2. Reproduce the action that results in the error—in this case, user access to the resource associated with the SAML service provider that prompts the user to submit credentials to the SAML identity provider.
  3. Click Save Debug Log.

    The console displays the Save As dialog box.

  1. Save the file to a location your local host or a location that you can access when sending mail. The file is an encrypted file, so do not try to open it and analyze it yourself.
  2. E-mail the debug log to Pulse Customer Support.

    Pulse Customer Support will use the file to diagnose the issue. In the debug log, the following log lines indicate issues with the time-based validity of the assertion:

    verifySubjectConfirmationData: assertion has expired 

    processConditions: assertion has expired [NotOnOrAfter condition failed]

    processConditions: assertion is not yet Valid [NotBefore condition failed]

These log lines indicate a clock sync issue only if failure of the time-based validity check is unexpected. The same log lines might appear in the debug log to indicate an assertion has expired as expected.

Solution We recommend you use NTP to ensure the clocks are synchronized and that you set an Allowed Clock Skew value that accommodates any expected or permissible skew. Properly synchronized clocks avoid unexpected failure.

To configure NTP:

  1. Select System > Status to display the System Status page.
  2. Next to System Date & Time, click Edit to display the Date and Time page.
  3. Specify the settings for the same NTP server used by the SAML identity provider.
  4. Save your configuration.

To set the Allowed Clock Skew value:

  1. Select Authentication > Auth. Servers.
  2. Select the SAML authentication server you want to configure to display its configuration page.
  3. Specify a number of minutes in the Allowed Clock Skew to accommodate any expected or permissible skew.
  4. Save your configuration.

Related Topics