Breadcrumb
Assertion Validation
To ensure security, validation of the SAML assertion on the server-side is required. Assertion validation can be done using one of the following ways:
-
Validating the assertion manually
-
Using Single Sign-On Validation Service
Validating the assertion manually
You can validate the assertion on your own instead of calling Sabre’s validation Service. To do so, you will need to use Sabre’s certificate, which is provided when Single Sign-On boarding procedure is finished, and any library supporting SAML like Open SAML.
Single Sign-On Validation Service
The service accepts a token and validates it. If the token is valid, the service returns session and user information associated with the token. The service should be used by service providers to validate assertions against the Sabre Red 360 Identity Provider’s public key.
Note
|
The only supported token is SAML format, although the schema provides definitions for OpenAM and Siteminder as well. |
Service endpoint URL, wsdl files, schemas for the service and usage samples will be provided to you upon successful Service Provider configuration for your Red App (see: Single Sign-On Setup Procedure).
Note
|
The assertion will be valid for 60 seconds, so if you try to validate it after this time, the Validation Service will return an error. |
This is a sample assertion validation request (in JMeter format):
POST https:// #host# /ssoaas/services/SSO_ValidateTokenRQ/1.1.0/
POST data:
<ValidateTokenRQ xmlns="http://webservices.sabre.com/sabreXML/sso/ssoaas/SSO_ValidateToken/1.1.0" version="1.1.0" applicationID="#ApplicationId#"><SAMLToken>#assertion#</SAMLToken></ValidateTokenRQ>
[no cookies]
Request Headers:
Connection: close
user: #user#
password: #password#
User-Agent: Jakarta Commons-HttpClient/3.1
Host: #host#
Content-Type: text/xml; charset=utf-8
Please note, that there are header and body parameters that must be replaced with proper values:
-
assertion - assertion to be validated.
-
host - validation service host.
-
ApplicationID - identifier of your service provider application. You will receive it from Red App Support team when SSO Setup procedure is completed.
-
user - REST account user. You will receive it from Red App Support team when SSO Setup procedure is completed.
-
password - REST account password. You will receive it from Red App Support team when SSO Setup procedure is completed.
Note
|
Validation service URL is different for Production and for Development/Certification environment, so your server side service must be configured to use them properly. |
List of errors for SSO Validate Token Request
Below is the list of error codes with descriptions and recommended action. For all other errors please contact redappssupport@sabre.com sending your Red App ID and the error code you are getting.
Error Code | Description | Recommended Action |
---|---|---|
11 |
Message unmarshal error |
Check if your XML request is compatible with SSOaaS schema. |
102 |
No identity provider configuration for id = <…> |
Make sure you provide valid idpId and applicationID in request. Check your IDP configuration in SSOaaS Console |
103 |
No service provider configuration for id = <…> |
Make sure you provide valid spId and applicationID in request. Check your SP configuration in SSOaaS Console |
105 |
Expiry time is invalid, expiry time = <…>, reason = <…> |
Check your request payload. |
121 |
Provided duration is smaller than min allowed value=<…>, duration=<…> |
Check your request payload. |
122 |
ValidFrom in request happens before now. ValidFrom=<…>, now=<…> |
Check your request payload. |
123 |
Request validation error. Service Provider is empty |
Check your request payload. |
124 |
Request validation error. Identity Provider is empty |
Check your request payload. |
125 |
Username is empty on request context = <…> |
Check your request payload. |
126 |
AssertionCreateTime is empty, request: <…> |
Check your request payload. |
127 |
ConditionsNotOnOrAfter is empty, request: <…> |
Check your request payload. |
128 |
ConditionsNotBefore is empty, request: <…> |
Check your request payload. |
129 |
SessionNotOnOrAfter is empty, request: <…> |
Check your request payload. |
130 |
Input parameters validTo and duration cannot be both empty. Cannot calculate assertion valid times |
Check your request payload. |
200 |
Invalid token name |
Check if you send correct ValidateTokenRQ (compare with SSOaaS schema) |
201 |
Invalid Base64 token encryption |
Check if token body in XML request is properly encrypted in Base64 format. |
202 |
Identity provider <…> is not supported by service provider <…> |
Service provider does not accept assertions from this identity provider. Check your SP configuration in SSOaaS Console. |
210 |
Empty token |
You send request with empty token body. |
211 |
Token decoding error |
Make sure that you send valid token. |
260 |
No configuration for identity provider id: <…> passed in assertion attribute: <…> |
IDP for siteId passed in assertion attribute not exists (GetThere assertions). Check if siteId attribute in request is correct. Check your SP configuration in SSOaaS console (name of assertion attribute that contains siteId. |
300 |
Operation fail! Operation type: <…>, Entity type: <…> |
Check if your XML request (ManageEntityProviderRQ) is compatible with SSOaaS schema. |
302 |
Operation refused! Invalid data in request, Operation type: <…>, Entity type: <…>, RQ Data Validation Errors: <…> |
Fix your request data. |
4000 |
XML unmarshalling error, request doesn’t comply with the request schema |
Change the request XML so that it conforms to the request schema |
4041 |
Version <version> for service <service_name> does not exist |
Make sure that the version name in the request is spelled correctly. Also check that the version in the request is supported by inform (see wiki pages for the service) |
4010 |
Authentication fail! Wrong user or password; userId: <…> |
Make sure UserID/ATH ID you are passing is correct. |
4030 |
You are not authorized to use application! appId: <…> |
Make sure the Application ID is spelled correctly. Check your User configuration in SSOaaS Console. |
4031 |
You are not authorized to use application! appId: <…> |
Make sure the Application ID is spelled correctly. Check your User configuration in SSOaaS Console. |
4032 |
'ApplicationID' not specified in request message |
Provide applicationID attribute in request XML. |