I had fully configured SAML SSO environment with my application deployed and SAML SSO configured on WebSphere 9.0.5 and ISVA 10.0.3 containers. ISVA containers running on a host VM on Ubuntu OS 18.0.4. Then I had to upgrade OS to Ubuntu 20.0.4. All ISVA containers running as expected. However, SAML SSO is no longer working. What happening is I am no longer redirected to ISVA IDP login page. SAML SSO configurations have not changed on WAS site as well as on ISVA site. I am seeing the following errors in WebSphere SAML trace:

 3/6/23 15:14:47:730 UTC] 00000102 ACSTrustAssoc >  createTAIErrorResult(req[com.ibm.ws.webcontainer.srt.SRTServletRequest], res[com.ibm.ws.webcontainer.srt.SRTServletResponse], msg[CWWSS8017E: Authentication Error: Single-Sign-on cookie is not present or could not be verified. Please login to the SAML Identity Provider, and try again.], before[false]) Entry

I can test login to ISVA successfully with the URL that is configured in SAML properties.

It seems that something happened either in ISVA federation or reverse proxy server but I am really stuck and have no idea where to look. I would very much appreciate if someone please provide some guidance on ISVA site what could effect SAML generation or perhaps connection between WAS (SP) and ISVA (IDP) after container host upgrade.

One checkpoint was to sync up times between ISVA containers host and WAS. Times are now synced up. I can ping WAS VM from ISVA containers host.

Appreciate your reply and feedback.

Hi IRINA,

I am facing same issue, did you resolve this issue?

Regards.

I had fully configured SAML SSO environment with my application deployed and SAML SSO configured on WebSphere 9.0.5 and ISVA 10.0.3 containers. ISVA containers running on a host VM on Ubuntu OS 18.0.4. Then I had to upgrade OS to Ubuntu 20.0.4. All ISVA containers running as expected. However, SAML SSO is no longer working. What happening is I am no longer redirected to ISVA IDP login page. SAML SSO configurations have not changed on WAS site as well as on ISVA site. I am seeing the following errors in WebSphere SAML trace:

 3/6/23 15:14:47:730 UTC] 00000102 ACSTrustAssoc >  createTAIErrorResult(req[com.ibm.ws.webcontainer.srt.SRTServletRequest], res[com.ibm.ws.webcontainer.srt.SRTServletResponse], msg[CWWSS8017E: Authentication Error: Single-Sign-on cookie is not present or could not be verified. Please login to the SAML Identity Provider, and try again.], before[false]) Entry

I can test login to ISVA successfully with the URL that is configured in SAML properties.

It seems that something happened either in ISVA federation or reverse proxy server but I am really stuck and have no idea where to look. I would very much appreciate if someone please provide some guidance on ISVA site what could effect SAML generation or perhaps connection between WAS (SP) and ISVA (IDP) after container host upgrade.

One checkpoint was to sync up times between ISVA containers host and WAS. Times are now synced up. I can ping WAS VM from ISVA containers host.

Appreciate your reply and feedback.