Symptom:
When attempting to access Hub with prefix as configured in Virtual Proxy, the following error is returned - "Error 400 - Bad request Contact your system administrator. The user cannot be authenticated by the SAML response through the following virtual proxy... "
Environment:
Cause:
The IdP metadata could not be successfully sent back to Qlik Sense due to the misconfiguration of the Assertion Consumer Service Index setting on the Ping Federate console.
Resolution:
Troubleshooting steps performed:
- Followed the steps outlined in Qlik Sense: Information needed to Troubleshoot SAML SSO related issues to gather the requisite information needed to troubleshoot the issue
- Review of the .HAR file indicate that the communication is successful progressing from Qlik Sense to the IdP and the failure occurring when communicating from IdP back to Qlik Sense
- The Audit_Proxy log contains error: The Identity Provider failed authentication.
- SAML trace logs returned error The requested AssertionConsumerServiceIndex 2 does not exist.
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<samlp:StatusMessage>The requested AssertionConsumerServiceIndex 2 does not exist.</samlp:StatusMessage>
</samlp:Status>
- Specifying Assertion Consumer Service in AuthnRequest, which indicates that this setting is configured on the Ping Federate console, not in Qlik Sense
- Ping Federate administrator changed default connections to be created with an Index of 0, which resolved the issue.