Assertion Validation

To ensure security, validation of the SAML assertion on the server-side is required. Assertion validation can be done using one of the following ways:

Validating the assertion manually
Using Single Sign-On Validation Service

Validating the assertion manually

You can validate the assertion on your own instead of calling Sabre’s validation Service. To do so, you will need to use Sabre’s certificate, which is provided when Single Sign-On boarding procedure is finished, and any library supporting SAML like Open SAML.

Single Sign-On Validation Service

The service accepts a token and validates it. If the token is valid, the service returns session and user information associated with the token. The service should be used by service providers to validate assertions against the Sabre Red 360 Identity Provider’s public key.

Note	The only supported token is SAML format, although the schema provides definitions for OpenAM and Siteminder as well.

Service endpoint URL, wsdl files, schemas for the service and usage samples will be provided to you upon successful Service Provider configuration for your Red App (see: Single Sign-On Setup Procedure).

Note	The assertion will be valid for 60 seconds, so if you try to validate it after this time, the Validation Service will return an error.

This is a sample assertion validation request (in JMeter format):

POST https:// #host# /ssoaas/services/SSO_ValidateTokenRQ/1.1.0/
POST data:
<ValidateTokenRQ xmlns="http://webservices.sabre.com/sabreXML/sso/ssoaas/SSO_ValidateToken/1.1.0" version="1.1.0" applicationID="#ApplicationId#"><SAMLToken>#assertion#</SAMLToken></ValidateTokenRQ>
[no cookies]
Request Headers:
Connection: close
user: #user#
password: #password#
User-Agent: Jakarta Commons-HttpClient/3.1
Host: #host#
Content-Type: text/xml; charset=utf-8

Please note, that there are header and body parameters that must be replaced with proper values:

assertion - assertion to be validated.
host - validation service host.
ApplicationID - identifier of your service provider application. You will receive it from Red App Support team when SSO Setup procedure is completed.
user - REST account user. You will receive it from Red App Support team when SSO Setup procedure is completed.
password - REST account password. You will receive it from Red App Support team when SSO Setup procedure is completed.

Note	Validation service URL is different for Production and for Development/Certification environment, so your server side service must be configured to use them properly.

List of errors for SSO Validate Token Request

Below is the list of error codes with descriptions and recommended action. For all other errors please contact redappsupport@sabre.com sending your Red App ID and the error code you are getting.

Error Code	Description	Recommended Action
11	Message unmarshal error	Check if your XML request is compatible with SSOaaS schema.
102	No identity provider configuration for id = <…>	Make sure you provide valid idpId and applicationID in request. Check your IDP configuration in SSOaaS Console
103	No service provider configuration for id = <…>	Make sure you provide valid spId and applicationID in request. Check your SP configuration in SSOaaS Console
105	Expiry time is invalid, expiry time = <…>, reason = <…>	Check your request payload.
121	Provided duration is smaller than min allowed value=<…>, duration=<…>	Check your request payload.
122	ValidFrom in request happens before now. ValidFrom=<…>, now=<…>	Check your request payload.
123	Request validation error. Service Provider is empty	Check your request payload.
124	Request validation error. Identity Provider is empty	Check your request payload.
125	Username is empty on request context = <…>	Check your request payload.
126	AssertionCreateTime is empty, request: <…>	Check your request payload.
127	ConditionsNotOnOrAfter is empty, request: <…>	Check your request payload.
128	ConditionsNotBefore is empty, request: <…>	Check your request payload.
129	SessionNotOnOrAfter is empty, request: <…>	Check your request payload.
130	Input parameters validTo and duration cannot be both empty. Cannot calculate assertion valid times	Check your request payload.
200	Invalid token name	Check if you send correct ValidateTokenRQ (compare with SSOaaS schema)
201	Invalid Base64 token encryption	Check if token body in XML request is properly encrypted in Base64 format.
202	Identity provider <…> is not supported by service provider <…>	Service provider does not accept assertions from this identity provider. Check your SP configuration in SSOaaS Console.
210	Empty token	You send request with empty token body.
211	Token decoding error	Make sure that you send valid token.
260	No configuration for identity provider id: <…> passed in assertion attribute: <…>	IDP for siteId passed in assertion attribute not exists (GetThere assertions). Check if siteId attribute in request is correct. Check your SP configuration in SSOaaS console (name of assertion attribute that contains siteId.
300	Operation fail! Operation type: <…>, Entity type: <…>	Check if your XML request (ManageEntityProviderRQ) is compatible with SSOaaS schema.
302	Operation refused! Invalid data in request, Operation type: <…>, Entity type: <…>, RQ Data Validation Errors: <…>	Fix your request data.
4000	XML unmarshalling error, request doesn’t comply with the request schema	Change the request XML so that it conforms to the request schema
4041	Version <version> for service <service_name> does not exist	Make sure that the version name in the request is spelled correctly. Also check that the version in the request is supported by inform (see wiki pages for the service)
4010	Authentication fail! Wrong user or password; userId: <…>	Make sure UserID/ATH ID you are passing is correct.
4030	You are not authorized to use application! appId: <…>	Make sure the Application ID is spelled correctly. Check your User configuration in SSOaaS Console.
4031	You are not authorized to use application! appId: <…>	Make sure the Application ID is spelled correctly. Check your User configuration in SSOaaS Console.
4032	'ApplicationID' not specified in request message	Provide applicationID attribute in request XML.

Error Code

Description

Recommended Action

Message unmarshal error

Check if your XML request is compatible with SSOaaS schema.

102

No identity provider configuration for id = <…>

Make sure you provide valid idpId and applicationID in request. Check your IDP configuration in SSOaaS Console

103

No service provider configuration for id = <…>

Make sure you provide valid spId and applicationID in request. Check your SP configuration in SSOaaS Console

105

Expiry time is invalid, expiry time = <…>, reason = <…>

Check your request payload.

121

Provided duration is smaller than min allowed value=<…>, duration=<…>

Check your request payload.

122

ValidFrom in request happens before now. ValidFrom=<…>, now=<…>

Check your request payload.

123

Request validation error. Service Provider is empty

Check your request payload.

124

Request validation error. Identity Provider is empty

Check your request payload.

125

Username is empty on request context = <…>

Check your request payload.

126

AssertionCreateTime is empty, request: <…>

Check your request payload.

127

ConditionsNotOnOrAfter is empty, request: <…>

Check your request payload.

128

ConditionsNotBefore is empty, request: <…>

Check your request payload.

129

SessionNotOnOrAfter is empty, request: <…>

Check your request payload.

130

Input parameters validTo and duration cannot be both empty. Cannot calculate assertion valid times

Check your request payload.

200

Invalid token name

Check if you send correct ValidateTokenRQ (compare with SSOaaS schema)

201

Invalid Base64 token encryption

Check if token body in XML request is properly encrypted in Base64 format.

202

Identity provider <…> is not supported by service provider <…>

Service provider does not accept assertions from this identity provider. Check your SP configuration in SSOaaS Console.

210

Empty token

You send request with empty token body.

211

Token decoding error

Make sure that you send valid token.

260

No configuration for identity provider id: <…> passed in assertion attribute: <…>

IDP for siteId passed in assertion attribute not exists (GetThere assertions). Check if siteId attribute in request is correct. Check your SP configuration in SSOaaS console (name of assertion attribute that contains siteId.

300

Operation fail! Operation type: <…>, Entity type: <…>

Check if your XML request (ManageEntityProviderRQ) is compatible with SSOaaS schema.

302

Operation refused! Invalid data in request, Operation type: <…>, Entity type: <…>, RQ Data Validation Errors: <…>

Fix your request data.

4000

XML unmarshalling error, request doesn’t comply with the request schema

Change the request XML so that it conforms to the request schema

4041

Version <version> for service <service_name> does not exist

Make sure that the version name in the request is spelled correctly. Also check that the version in the request is supported by inform (see wiki pages for the service)

4010

Authentication fail! Wrong user or password; userId: <…>

Make sure UserID/ATH ID you are passing is correct.

4030

You are not authorized to use application! appId: <…>

Make sure the Application ID is spelled correctly. Check your User configuration in SSOaaS Console.

4031

You are not authorized to use application! appId: <…>

Make sure the Application ID is spelled correctly. Check your User configuration in SSOaaS Console.

4032

'ApplicationID' not specified in request message

Provide applicationID attribute in request XML.