https://community.qlik.com/t5/Official-Support-Articles/Error-400-Bad-request-Contact-your-system-administrator-The-user/ta-p/1713070 <H4>Environment:</H4> <P class="lia-indent-padding-left-30px"><LI-PRODUCT title="Qlik Sense Enterprise on Windows" id="qlikSenseEnterpriseWindows"></LI-PRODUCT>&nbsp;, all versions</P> <H4><BR /><FONT color="#339966"><STRONG>Scenario 1:</STRONG></FONT></H4> <P>When setting up SP initiated SAML Authentication with a 3rd party SSL and custom ports, login fails with the following:</P> <P>"<FONT face="courier new,courier">Error 400 - Bad request Contact your system administrator. The user cannot be authenticated by the SAML response through the following virtual proxy</FONT>"</P> <P>The certificate was checked to ensure it read Provider =&nbsp;<STRONG><I>Microsoft Enhanced RSA and AES Cryptographic Provider,&nbsp;</I></STRONG>but authentication is still failing a 400 error, with very little indication as to what was occurring in the logging.&nbsp;&nbsp;<BR />&nbsp;</P> <P>Custom ports are not always reflected in the metadata, which causes the connection to attempt on the standard secure port (<STRONG>443)</STRONG></P> <H3 class="qlik-migrated-tkb-headings">Resolution:</H3> <P><BR />Check the metadata that is uploaded from the Identity Provider in the Qlik Management Console to ensure the port number is not listed, or utilizing the custom port.&nbsp;&nbsp;<BR /><BR /><STRONG>Example:</STRONG><BR />In the metadata, you will see the POST and Redirect URL's using the standard port (<STRONG>443</STRONG>), though port <STRONG>1443 </STRONG>is specified in the proxy.&nbsp;&nbsp;<BR /><FONT face="courier new,courier">Location="<A href="https://qlikserver1.domain.local:443/pingfed/samlauthn/" target="_blank" rel="noopener">https://qlikserver1.domain.local:443/pingfed/samlauthn/</A>"</FONT><BR /><FONT face="courier new,courier">Change the URL to read the correct custom port number specified in the proxy.&nbsp;&nbsp;</FONT><BR /><FONT face="courier new,courier">Location="<A href="https://qlikserver1.domain.local:1443/pingfed/samlauthn/" target="_blank" rel="noopener">https://qlikserver1.domain.local:1443/pingfed/samlauthn/</A>"</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><FONT color="#339966"><STRONG>Scenario 2:</STRONG></FONT></H4> <P>SAML is a data format for authentication and authorization. It&nbsp;enables&nbsp;single sign-on (SSO), and thereby minimizes the number of times a user has to log on to cloud applications and websites. Three entities are involved in the authentication process:</P> <UL> <LI>the user</LI> <LI>the identity provider (IdP)</LI> <LI>the service provider (SP)</LI> </UL> <P>The identity provider is used for authentication. When the identity provider has asserted the user identity, the service provider can give the user access to their services. Because the identity provider has enabled&nbsp;SSO, the user can access several service provider sites and applications without having to log in at each site.<BR /><BR />If SAML Autentication fails in&nbsp;the audit proxy log the following message can be seen:<BR /><BR />The identity provider failed authentication.&nbsp;urn:oasis:names:tc:SAML:2.0:status:Requester<BR /><BR />Refer to&nbsp;<A href="https://msdn.microsoft.com/en-us/library/hh269642.aspx" target="_blank" rel="noopener">https://msdn.microsoft.com/en-us/library/hh269642.aspx</A>&nbsp;for the status codes.</P> <P>&nbsp;</P> <H3>Resolution:</H3> <P>&nbsp;</P> <P>It may be necessary to check the following:</P> <UL> <LI>On the metadata.xml file set<BR /><FONT face="courier new,courier">WantAuthnRequestsSigned=true</FONT></LI> <LI>Recreate the metadata file double signing it.</LI> <LI>Set&nbsp;AssertionConsumerService to 2</LI> </UL> <P>&nbsp;</P> Tue, 25 Oct 2022 09:52:44 GMT Sonja_Bauernfeind 2022-10-25T09:52:44Z https://community.qlik.com/t5/Official-Support-Articles/Error-400-Bad-request-Contact-your-system-administrator-The-user/ta-p/1713070 <H4>Environment:</H4> <P class="lia-indent-padding-left-30px"><LI-PRODUCT title="Qlik Sense Enterprise on Windows" id="qlikSenseEnterpriseWindows"></LI-PRODUCT>&nbsp;, all versions</P> <H4><BR /><FONT color="#339966"><STRONG>Scenario 1:</STRONG></FONT></H4> <P>When setting up SP initiated SAML Authentication with a 3rd party SSL and custom ports, login fails with the following:</P> <P>"<FONT face="courier new,courier">Error 400 - Bad request Contact your system administrator. The user cannot be authenticated by the SAML response through the following virtual proxy</FONT>"</P> <P>The certificate was checked to ensure it read Provider =&nbsp;<STRONG><I>Microsoft Enhanced RSA and AES Cryptographic Provider,&nbsp;</I></STRONG>but authentication is still failing a 400 error, with very little indication as to what was occurring in the logging.&nbsp;&nbsp;<BR />&nbsp;</P> <P>Custom ports are not always reflected in the metadata, which causes the connection to attempt on the standard secure port (<STRONG>443)</STRONG></P> <H3 class="qlik-migrated-tkb-headings">Resolution:</H3> <P><BR />Check the metadata that is uploaded from the Identity Provider in the Qlik Management Console to ensure the port number is not listed, or utilizing the custom port.&nbsp;&nbsp;<BR /><BR /><STRONG>Example:</STRONG><BR />In the metadata, you will see the POST and Redirect URL's using the standard port (<STRONG>443</STRONG>), though port <STRONG>1443 </STRONG>is specified in the proxy.&nbsp;&nbsp;<BR /><FONT face="courier new,courier">Location="<A href="https://qlikserver1.domain.local:443/pingfed/samlauthn/" target="_blank" rel="noopener">https://qlikserver1.domain.local:443/pingfed/samlauthn/</A>"</FONT><BR /><FONT face="courier new,courier">Change the URL to read the correct custom port number specified in the proxy.&nbsp;&nbsp;</FONT><BR /><FONT face="courier new,courier">Location="<A href="https://qlikserver1.domain.local:1443/pingfed/samlauthn/" target="_blank" rel="noopener">https://qlikserver1.domain.local:1443/pingfed/samlauthn/</A>"</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><FONT color="#339966"><STRONG>Scenario 2:</STRONG></FONT></H4> <P>SAML is a data format for authentication and authorization. It&nbsp;enables&nbsp;single sign-on (SSO), and thereby minimizes the number of times a user has to log on to cloud applications and websites. Three entities are involved in the authentication process:</P> <UL> <LI>the user</LI> <LI>the identity provider (IdP)</LI> <LI>the service provider (SP)</LI> </UL> <P>The identity provider is used for authentication. When the identity provider has asserted the user identity, the service provider can give the user access to their services. Because the identity provider has enabled&nbsp;SSO, the user can access several service provider sites and applications without having to log in at each site.<BR /><BR />If SAML Autentication fails in&nbsp;the audit proxy log the following message can be seen:<BR /><BR />The identity provider failed authentication.&nbsp;urn:oasis:names:tc:SAML:2.0:status:Requester<BR /><BR />Refer to&nbsp;<A href="https://msdn.microsoft.com/en-us/library/hh269642.aspx" target="_blank" rel="noopener">https://msdn.microsoft.com/en-us/library/hh269642.aspx</A>&nbsp;for the status codes.</P> <P>&nbsp;</P> <H3>Resolution:</H3> <P>&nbsp;</P> <P>It may be necessary to check the following:</P> <UL> <LI>On the metadata.xml file set<BR /><FONT face="courier new,courier">WantAuthnRequestsSigned=true</FONT></LI> <LI>Recreate the metadata file double signing it.</LI> <LI>Set&nbsp;AssertionConsumerService to 2</LI> </UL> <P>&nbsp;</P> Tue, 25 Oct 2022 09:52:44 GMT https://community.qlik.com/t5/Official-Support-Articles/Error-400-Bad-request-Contact-your-system-administrator-The-user/ta-p/1713070 Sonja_Bauernfeind 2022-10-25T09:52:44Z