AS - Error codes
From GEANT2-JRA1 Wiki
The Authentication service (AS), as a perfSONAR service, always includes an status code in every response. In this page, you can find which status codes an AS could send.
[edit]
Success codes
- success.as.authn: congratulations! the authentication of the user/client is valid.
[edit]
Error codes
- error.authn.soap: the authentication request message hasn't any <soapenv:Header> element or it hasn't been sent following the WS-SEC standard.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
.
.
.
</soapenv:Header>
<soapenv:Body>
.
.
.
</soapenv:Body>
</soapenv:Envelope>
- error.authn.not_sectoken: the authentication request message doesn't include any security token. It usually happens when there is no <wsse:Security> element inside the SOAP header.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
.
.
.
</soapenv:Body>
</soapenv:Envelope>
- error.authn.wrong_params: the received authentication request message doesn't specify required parameters. This usually happens when the nmwg message doesn't include a parameter called SecurityToken.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
.
.
.
</soapenv:Header>
<soapenv:Body>
<nmwg:message id="authNMessage1" type="AuthNEERequest" xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/">
<nmwg:metadata id="authNMetadata">
<nmwg:parameters id="keys">
<nmwg:parameter name="SecurityToken">. . .</nmwg:parameter>
</nmwg:parameters>
</nmwg:metadata>
<nmwg:data id="authN1" metadataIdRef="authNMetadata"/>
</nmwg:message>
</soapenv:Body>
</soapenv:Envelope>
- error.authn.timestamp: the AS cannot valid the timestamp information included in the security token of the received authentication request message. It usually happens when:
- The message doesn't include the timestamp information
- The values contained by the timestamp element are not right, due to it was created after the timeclock of the AS or it was expired before the timeclock of the AS.
- The timestamp was expired.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security>
.
.
.
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-25688561">
<wsu:Created>2008-01-14T10:50:10.972Z</wsu:Created>
<wsu:Expires>2008-01-14T10:55:10.972Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
.
.
.
</soapenv:Body>
</soapenv:Envelope>
- So, please ask for the maximum timelife of security tokens in the AS and/or check the timeclock of the node which has generated the security token
- error.authn.wssec: the AS has got a problem checking the signature of a security token. It usually happens when it doesn't contain any <ds:Signature> element or the signature is invalid. You can find this last case easily, because at the moment the XML library you're using deletes white spaces or something like that, the signature will be invalid.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security>
.
.
.
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-29913235">
.
.
.
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
.
.
.
</soapenv:Body>
</soapenv:Envelope>
- error.authn.assertion_not_included: the authentication request message specifies in the SecurityToken parameter that its security token is based on a SAML assertion but the message doesn't include an element <wsse:BinarySecurityToken> with attributes ValueType="#SAMLBase64Binary" and wsu:Id="SAML".
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security>
.
.
.
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="#SAMLBase64Binary"
wsu:Id="SAML">
.
.
.
</wsse:BinarySecurityToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
.
.
.
</soapenv:Body>
</soapenv:Envelope>
- error.authn.assertion_not_valid: the assertion included in the element <wsse:BinarySecurityToken> with attributes ValueType="#SAMLBase64Binary" and wsu:Id="SAML" is not valid. This usually happens when it has been signed with a pair of keys not valid in the eduGAIN trust model or its certificate had expired.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security>
.
.
.
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="#SAMLBase64Binary"
wsu:Id="SAML">
.
.
.
</wsse:BinarySecurityToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
.
.
.
</soapenv:Body>
</soapenv:Envelope>
- error.authn.x509_not_included: the authentication request message specifies in the SecurityToken parameter that its security token is based on an X.509 certificate but the message doesn't include an element <wsse:BinarySecurityToken> with the attribute ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security>
.
.
.
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-15005985">
.
.
.
</wsse:BinarySecurityToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
.
.
.
</soapenv:Body>
</soapenv:Envelope>
- error.authn.x509_not_valid: the X.509 certificate included in the element <wsse:BinarySecurityToken> with the attribute ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" is not valid. This usually happens when the certificate is not valid in the eduGAIN trust model or it had expired.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security>
.
.
.
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-15005985">
.
.
.
</wsse:BinarySecurityToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
.
.
.
</soapenv:Body>
</soapenv:Envelope>
