Agile Central - SSO connection failure due to encrypted assertion

Document ID : KB000113498
Last Modified Date : 10/09/2018
Show Technical Document Details
Question:
After setting up a new SSO connection for a customer who is using the ADFS IdP as a service the customer is unable to log into Agile Central under SSO.

The receive a message that states the following;

User-added image


A review of the splunk logs for the reference number (TKZJHJDE) in the error reveals the following error, or similar;

2018-09-10 09:53:35,903|SSO| | 127.0.0.1 | | | | qs-ping-01.rally.prod| SP| failure| | (reference# TKZJHJDE) For security reasons a Response sent via the front channel that contains encrypted Assertion(s) must have a valid signature (but was NOT_PRESENT).| 2 host = qs-ping-01 source = /home/pingsp/pingfederate/pingfederate/log/audit.log-20180910 sourcetype = sso-logs


How can this be corrected?
Answer:
The SSO metadata for Agile Central which is provided to the customer contains an encryption certificate and a signing certificate.  Have the customer verify that they are NOT sending encrypted SAML assertions and if so have them remove or disable the encryption certificate from their ADFS server.

Note that this seems to affect customers using ADFS most often.