Skip to main content

Assertion validation

To ensure security, validation of the SAML assertion on the server-side is required. Assertion validation can be done using one of the following ways:

  • Validating the assertion manually

  • Using Single Sign-On Validation Service

Validating the assertion manually

You can validate the assertion on your own instead of calling Sabre’s validation Service. To do so, you will need to use Sabre’s certificate, which is provided when Single Sign-On boarding procedure is finished, and any library supporting SAML like Open SAML.

You can use Configuration Service to obtain properties like serviceProvider depending on environment (CERT, PROD) if needed - you can find more information in {developer_toolkit_name}'s documentation.

Please note that the Sabre’s Validation Service URL is different for CERT and PROD and your code must be able to handle it correctly.

Single Sign-On Validation Service

{developer_toolkit_name} does not provide any API for validating the assertion because of multiplicity of available server-side technologies. Instead, SSO_ValidateTokenRQ can be used to validate SAML tokens generated using SsoServiceClient. The service accepts a token and validates it. If the token is valid, the service returns session and user information associated with the token. The service should be used by service providers to validate assertions against the {full_brand_name} Identity Provider’s public key.

Note
  The only supported token is SAML format, although the schema provides definitions for OpenAM and Siteminder as well.

Service endpoint URL, wsdl files, schemas for the service and usage samples will be provided to you upon successful Service Provider configuration for your Red App (see: SSO Setup Procedure).

Note
  The assertion will be valid for 60 seconds, so if you try to validate it after this time, the Validation Service will return an error.

This is a sample assertion validation request (in JMeter format):

POST https:// #host# /ssoaas/services/SSO_ValidateTokenRQ/1.1.0/
POST data:
<ValidateTokenRQ xmlns="http://webservices.sabre.com/sabreXML/sso/ssoaas/SSO_ValidateToken/1.1.0" version="1.1.0" applicationID="#ApplicationId#"><SAMLToken>#assertion#</SAMLToken></ValidateTokenRQ>
[no cookies]
Request Headers:
Connection: close
user: #user#
password: #password#
User-Agent: Jakarta Commons-HttpClient/3.1
Host: #host#
Content-Type: text/xml; charset=utf-8

Please note, that there are header and body parameters that must be replaced with proper values:

  • assertion - assertion to be validated

  • host - validation service host

  • ApplicationID - identifier of your service provider application. You will receive it from Red App Support team when SSO Setup procedure is completed.

  • user - REST account user. You will receive it from Red App Support team when SSO Setup procedure is completed.

  • password - REST account password. You will receive it from Red App Support team when SSO Setup procedure is completed.

Note
Validation service URL is different for Production and for Development/Certification environment, so your server side service must be configured to use them properly.

List of errors for SSO Validate Token Request

Below is the list of error codes with descriptions and recommended action. For all other errors please contact redappssuport@sabre.com sending your Red App ID and the error code you are getting.

Error Code Description Recommended Action

11

Message unmarshal error

Check if your XML request is compatible with SSOaaS schema.

102

No identity provider configuration for id = <…​>

Make sure you provide valid idpId and applicationID in request. Check your IDP configuration in SSOaaS Console

103

No service provider configuration for id = <…​>

Make sure you provide valid spId and applicationID in request. Check your SP configuration in SSOaaS Console

105

Expiry time is invalid, expiry time = <…​>, reason = <…​>

Check your request payload.

121

Provided duration is smaller than min allowed value=<…​>, duration=<…​>

Check your request payload.

122

ValidFrom in request happens before now. ValidFrom=<…​>, now=<…​>

Check your request payload.

123

Request validation error. Service Provider is empty

Check your request payload.

124

Request validation error. Identity Provider is empty

Check your request payload.

125

Username is empty on request context = <…​>

Check your request payload.

126

AssertionCreateTime is empty, request: <…​>

Check your request payload.

127

ConditionsNotOnOrAfter is empty, request: <…​>

Check your request payload.

128

ConditionsNotBefore is empty, request: <…​>

Check your request payload.

129

SessionNotOnOrAfter is empty, request: <…​>

Check your request payload.

130

Input parameters validTo and duration cannot be both empty. Cannot calculate assertion valid times

Check your request payload.

200

Invalid token name

Check if you send correct ValidateTokenRQ (compare with SSOaaS schema)

201

Invalid Base64 token encryption

Check if token body in XML request is properly encrypted in Base64 format.

202

Identity provider <…​> is not supported by service provider <…​>

Service provider does not accept assertions from this identity provider. Check your SP configuration in SSOaaS Console.

210

Empty token

You send request with empty token body.

211

Token decoding error

Make sure that you send valid token.

260

No configuration for identity provider id: <…​> passed in assertion attribute: <…​>

IDP for siteId passed in assertion attribute not exists (GetThere assertions). Check if siteId attribute in request is correct. Check your SP configuration in SSOaaS console (name of assertion attribute that contains siteId.

300

Operation fail! Operation type: <…​>, Entity type: <…​>

Check if your XML request (ManageEntityProviderRQ) is compatible with SSOaaS schema.

302

Operation refused! Invalid data in request, Operation type: <…​>, Entity type: <…​>, RQ Data Validation Errors: <…​>

Fix your request data.

4000

XML unmarshalling error, request doesn’t comply with the request schema

Change the request XML so that it conforms to the request schema

4041

Version <version> for service <service_name> does not exist

Make sure that the version name in the request is spelled correctly. Also check that the version in the request is supported by inform (see wiki pages for the service)

4010

Authentication fail! Wrong user or password; userId: <…​>

Make sure UserID/ATH ID you are passing is correct.

4030

You are not authorized to use application! appId: <…​>

Make sure the Application ID is spelled correctly. Check your User configuration in SSOaaS Console.

4031

You are not authorized to use application! appId: <…​>

Make sure the Application ID is spelled correctly. Check your User configuration in SSOaaS Console.

4032

'ApplicationID' not specified in request message

Provide applicationID attribute in request XML.