SAML Assertion policy deployment error troubleshooting

You're viewing Apigee and Apigee hybrid documentation.
View Apigee Edge documentation.

SourceNotConfigured

Error Message

Deployment of the API proxy through either the Apigee UI or Apigee API fails with this error message:

Error Deploying Revision revision_number to environment
ValidateSAMLAssertion[policy_name]: Source is not correctly configured.

Example Error Message

Error Deploying Revision 2 to test
ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Source is not correctly configured.

Example Error Screenshot

Error deploying revision 2 to test.

Cause

The deployment of the API proxy fails with this error if one or more of the following elements of the ValidateSAMLAssertion policy is not defined or empty: <Source>, <XPath>, <Namespaces>, <Namespace>.

For example, if you miss the <XPath> element or leave the <Source> element or its entities empty, then the deployment of the API proxy fails.

Diagnosis

  1. Identify the failed ValidateSAMLAssertion policy name from the error message. For example, in the following error the ValidateSAMLAssertion policy name is Validate-SAML-Assertion-1.

    ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Source is not correctly configured.
    
  2. Examine the failed ValidateSAMLAssertion policy XML. Check if one or more of the following elements of the policy is missing or empty: <Source>, <XPath>, <Namespaces>, <Namespace>. If so, that could be the cause of the error.

    For example, the following policy has an empty <Namespaces> element under the <Source> element:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <ValidateSAMLAssertion name="SAML" ignoreContentType="false">
      <Source name="request">
        <Namespaces></Namespaces>
       </Source>
       <Description/>
     <TrustStore>ref://TrustStoreName</Truststore>
     <RemoveAssertion>false</RemoveAssertion>
    </ValidateSAMLAssertion>
    
  3. In the above example, the <Namespaces> element is empty, therefore you get the error:

    ValidateSAMLAssertion[Validate-SAML-Assertion-1]: Source is not correctly configured.
    

Resolution

Ensure that values of the <Source> element are configured correctly with the <Namespaces> element and its child element <Namespace>. You also need to ensure the <XPath> element is defined and non-empty.

To correct the example ValidateSAMLAssertion policy shown above, you could add the <Namespace> elements as well as <XPath>:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ValidateSAMLAssertion name="SAML" ignoreContentType="false">
  <Source name="request">
    <Namespaces>
      <Namespace prefix='soap'>http://schemas.xmlsoap.org/soap/envelope/</Namespace>
      <Namespace prefix='wsse'>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
      <Namespace prefix='saml'>urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
    </Namespaces>
    <XPath>/soap:Envelope/soap:Header/wsse:Security/saml:Assertion</XPath>
  </Source>
   <Description/>
<TrustStore>ref://TrustStoreName</Truststore>
<RemoveAssertion>false</RemoveAssertion>
</ValidateSAMLAssertion>

TrustStoreNotConfigured

Error Message

Deployment of the API proxy through either the Apigee UI or Apigee API fails with this error message:

Error Deploying Revision revision_number to environment
ValidateSAMLAssertion[[Ljava.lang.Object;@object]: Trust store is not correctly configured.

Example Error Message

Error Deploying Revision 2 to test
ValidateSAMLAssertion[[Ljava.lang.Object;@39537262]: Trust store is not correctly configured.

Example Error Screenshot

Error deploying revision 2 to test.

Cause

If the <TrustStore> element is empty or not specified in the ValidateSAMLAssertion policy, then the deployment of the API proxy fails. A valid Trust Store is required.

Diagnosis

  1. Examine all the Validate SAML Assertion policies in the specific API Proxy where the failure has occurred. If there is any Validate SAML Assertion policy in which the <TrustStore> element is empty or not specified, then that's the cause of the error.

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <ValidateSAMLAssertion name="SAML" ignoreContentType="false">
     <Source name="request">
        <Namespaces>
          <Namespace prefix='soap'>http://schemas.xmlsoap.org/soap/envelope/</Namespace>
          <Namespace prefix='wsse'>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
          <Namespace prefix='saml'>urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
        </Namespaces>
        <XPath>/soap:Envelope/soap:Header/wsse:Security/saml:Assertion</XPath>
      </Source>
        <Description/>
        <TrustStore/>
      <RemoveAssertion>false</RemoveAssertion>
    </ValidateSAMLAssertion>
    

Resolution

Ensure that the element <TrustStore> is always specified and non-empty within the SAMLAssertion policy. The <TrustStore> name should match the name of a valid TrustStore that exists in all the environments to which you are attempting to deploy a proxy.

To correct the above example, you can specify the <TrustStore> element with a valid value.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ValidateSAMLAssertion name="SAML" ignoreContentType="false">
  <Source name="request">
    <Namespaces>
      <Namespace prefix='soap'>http://schemas.xmlsoap.org/soap/envelope/</Namespace>
      <Namespace prefix='wsse'>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
      <Namespace prefix='saml'>urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
    </Namespaces>
    <XPath>/soap:Envelope/soap:Header/wsse:Security/saml:Assertion</XPath>
  </Source>
  <TrustStore>TrustStoreName</TrustStore>
  <RemoveAssertion>false</RemoveAssertion>
</ValidateSAMLAssertion>

NullKeyStore

Error Message

Deployment of the API proxy through either the Apigee UI or API fails with this error message:

Error Deploying Revision revision_number to environment
Assertion KeyStore name cannot be null.

Example Error Message

Error Deploying Revision 4 to test
Assertion KeyStore name cannot be null.

Example Error Screenshot

Error deploying revision 4 to test.

Cause

If the child element <Name> is empty or not specified in the <Keystore> element of GenerateSAMLAssertion policy, then the deployment of the API proxy fails. A valid Keystore name is required.

Diagnosis

  1. Examine all the GenerateSAMLAssertion policies in the specific API Proxy where the failure has occurred. If there is any GenerateSAMLAssertion policy in which the child element <Name> is empty or not specified in the <Keystore> element, then that's the cause of the error.

    The following GenerateSAMLAssertion policy has an empty child element <Name> in the <Keystore> element:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <GenerateSAMLAssertion name="SAML" ignoreContentType="false">`
      <CanonicalizationAlgorithm />
      <Issuer ref="reference">Issuer name</Issuer>
      <KeyStore>
        <Name></Name>
        <Alias ref="reference">alias</Alias>
      </KeyStore>
      <OutputVariable>
        <FlowVariable>assertion.content</FlowVariable>
        <Message name="request">
          <Namespaces>
            <Namespace prefix="test">http://www.example.com/test</Namespace>
          </Namespaces>
          <XPath>/envelope/header</XPath>
        </Message>
      </OutputVariable>
      <SignatureAlgorithm />
      <Subject ref="reference">Subject name</Subject>
      <Template ignoreUnresolvedVariables="false">
        <!-- A lot of XML goes here, in CDATA, with {} around
             each variable -->
      </Template>
    </GenerateSAMLAssertion>
    

Resolution

Ensure that the child element <Name> is always specified and non-empty within the <Keystore> element of the GenerateSAMLAssertion policy.

To correct the above example, you can specify the <Name> element correctly as well as ensure that a valid value is specified to the <Alias> element.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateSAMLAssertion name="SAML" ignoreContentType="false">
  <CanonicalizationAlgorithm />
  <Issuer ref="reference">Issuer name</Issuer>
  <KeyStore>
    <Name ref="reference">keystorename</Name>
    <Alias ref="reference">alias</Alias>
  </KeyStore>
  <OutputVariable>
    <FlowVariable>assertion.content</FlowVariable>
    <Message name="request">
      <Namespaces>
        <Namespace prefix="test">http://www.example.com/test</Namespace>
      </Namespaces>
      <XPath>/envelope/header</XPath>
    </Message>
  </OutputVariable>
  <SignatureAlgorithm />
  <Subject ref="reference">Subject name</Subject>
  <Template ignoreUnresolvedVariables="false">
    <!-- A lot of XML goes here, in CDATA, with {} around
         each variable -->
  </Template>
</GenerateSAMLAssertion>

Refer to examples from SAMLAssertion policy.

NullKeyStoreAlias

Error Message

Deployment of the API proxy through either the Apigee UI or Apigee API fails with this error message:

Error Deploying Revision revision_number to environment
Assertion KeyStore alias cannot be null.

Example Error Message

Error Deploying Revision 4 to test
Assertion KeyStore alias cannot be null.

Example Error Screenshot

Error deploying revision 4 to test.

Cause

If the child element <Alias> is empty or not specified in the <Keystore> element of GenerateSAMLAssertion policy, then the deployment of the API proxy fails. A valid Keystore alias is required.

Diagnosis

  1. Examine all the GenerateSAMLAssertion policies in the specific API Proxy where the failure has occurred. If there is any GenerateSAMLAssertion policy in which the child element <Alias> is empty or not specified in the <Keystore> element, then that's the cause of the error.

    The following GenerateSAMLAssertion has an empty child element <Alias> in the <Keystore> element:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <GenerateSAMLAssertion name="SAML" ignoreContentType="false">`
      <CanonicalizationAlgorithm />
      <Issuer ref="reference">Issuer name</Issuer>
      <KeyStore>
        <Name ref="reference">keystorename</Name>
        <Alias></Alias>
      </KeyStore>
      <OutputVariable>
        <FlowVariable>assertion.content</FlowVariable>
        <Message name="request">
          <Namespaces>
            <Namespace prefix="test">http://www.example.com/test</Namespace>
          </Namespaces>
          <XPath>/envelope/header</XPath>
        </Message>
      </OutputVariable>
      <SignatureAlgorithm />
      <Subject ref="reference">Subject name</Subject>
      <Template ignoreUnresolvedVariables="false">
        <!-- A lot of XML goes here, in CDATA, with {} around
             each variable -->
      </Template>
    </GenerateSAMLAssertion>
    

Resolution

Ensure that the child element <Name> is always specified and non-empty within the <Keystore> element of the GenerateSAMLAssertion policy.

To correct the above example, you can specify the <Alias> element correctly as well as ensure that a valid value is specified to the <Name> element.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateSAMLAssertion name="SAML" ignoreContentType="false">
  <CanonicalizationAlgorithm />
  <Issuer ref="reference">Issuer name</Issuer>
  <KeyStore>
    <Name ref="reference">keystorename</Name>
    <Alias ref="reference">alias</Alias>
  </KeyStore>
  <OutputVariable>
    <FlowVariable>assertion.content</FlowVariable>
    <Message name="request">
      <Namespaces>
        <Namespace prefix="test">http://www.example.com/test</Namespace>
      </Namespaces>
      <XPath>/envelope/header</XPath>
    </Message>
  </OutputVariable>
  <SignatureAlgorithm />
  <Subject ref="reference">Subject name</Subject>
  <Template ignoreUnresolvedVariables="false">
    <!-- A lot of XML goes here, in CDATA, with {} around
         each variable -->
  </Template>
</GenerateSAMLAssertion>

Refer to examples from SAMLAssertion policy.

NullIssuer

Error Message

Deployment of the API proxy through either the Apigee UI or Apigee API fails with this error message:

Error Deploying Revision revision_number to environment
Assertion Issuer cannot be null.

Example Error Message

Error Deploying Revision 4 to test
Assertion Issuer cannot be null.

Example Error Screenshot

Error deploying revision 4 to test.

Cause

If the <Issuer> element is empty or not specified in the GenerateSAMLAssertion policy, then the deployment of the API proxy fails. A valid <Issuer> value is required.

Diagnosis

  1. Examine all the GenerateSAMLAssertion policies in the specific API Proxy where the failure has occurred. If there is any GenerateSAMLAssertion policy in which the <Issuer> element is empty or not specified, then that's the cause of the error.

    The following GenerateSAMLAssertion policy has an empty <Issuer> element:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <GenerateSAMLAssertion name="SAML" ignoreContentType="false">`
      <CanonicalizationAlgorithm />
      <Issuer></Issuer>
      <KeyStore>
        <Name ref="reference">keystorename</Name>
        <Alias ref="reference">alias</Alias>
      </KeyStore>
      <OutputVariable>
        <FlowVariable>assertion.content</FlowVariable>
        <Message name="request">
          <Namespaces>
            <Namespace prefix="test">http://www.example.com/test</Namespace>
          </Namespaces>
          <XPath>/envelope/header</XPath>
        </Message>
      </OutputVariable>
      <SignatureAlgorithm />
      <Subject ref="reference">Subject name</Subject>
      <Template ignoreUnresolvedVariables="false">
        <!-- A lot of XML goes here, in CDATA, with {} around
             each variable -->
      </Template>
    </GenerateSAMLAssertion>
    

Resolution

Ensure that the <Issuer> element is always specified and non-empty in the GenerateSAMLAssertion policy.

To correct the above example, specify the <Issuer> element correctly:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateSAMLAssertion name="SAML" ignoreContentType="false">
  <CanonicalizationAlgorithm />
  <Issuer ref="reference">Issuer name</Issuer>
  <KeyStore>
    <Name ref="reference">keystorename</Name>
    <Alias ref="reference">alias</Alias>
  </KeyStore>
  <OutputVariable>
    <FlowVariable>assertion.content</FlowVariable>
    <Message name="request">
      <Namespaces>
        <Namespace prefix="test">http://www.example.com/test</Namespace>
      </Namespaces>
      <XPath>/envelope/header</XPath>
    </Message>
  </OutputVariable>
  <SignatureAlgorithm />
  <Subject ref="reference">Subject name</Subject>
  <Template ignoreUnresolvedVariables="false">
    <!-- A lot of XML goes here, in CDATA, with {} around
         each variable -->
  </Template>
</GenerateSAMLAssertion>

Refer to examples from SAMLAssertion policy.