Troubleshooting Tips: SSO configuration

Edit online
Issue Symptom Solution

org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction.

The audience URL in the SAML assertion does not match with the Service provider identity in webMethods API Gateway.

Make sure the Service provider identity in webMethods API Gateway matches with the audience URL.

If you have enabled Enforce SSO login by default, and if you have provided incorrect information while configuring SAML SSO, you cannot update the SAML SSO configuration in webMethods API Gateway as you are redirected to the SSO Login page directly.

In such case, you can login into webMethods API Gateway using the http(s)://hostname: portnumber/apigatewayui/login?usesso=false URL and update the SSO configuration with correct details.
Caused by: org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message Ensure that the:
  • Cookies in the browser is enabled.
  • The URL used to access the API Gateway UI is same as the URL specified in the SAML SSO configuration.
Note: If there is any other exception, check the sag_osgi.log at SAGInstallDir\profiles\IS_default\logs directory to trouble shoot.

Limitation

When you log into webMethods API Gateway using SSO, both the IdP and webMethods API Gateway sessions are created. But when you log out from webMethods API Gateway, only the webMethods API Gateway session gets terminated, the IdP session gets terminated based on its session timeout configuration. webMethods API Gateway does not support Single Logout (SLO).