How to fix 'Recipient attribute in SubjectConfirmationData mismatch' error when re-authenticating e-Signature approval via SSO - Support and Troubleshooting

How to fix 'Recipient attribute in SubjectConfirmationData mismatch' error when re-authenticating e-Signature approval via SSO Issue The issue is likely to occur when the user is login via SSO by IDP record A, but the user attempts to process the e-Signature approval via SSO by IDP record B which being defined to process e-Signature approval.

When the issue is replicated, we can see the screen-cuts below after the user clicking the approval button.

Meanwhile, we can find the some typical error logs - with key message "Recipient attribute in SubjectConfirmationData mismatch." (in MultiSSO debug mode)

_____________________________________________________________________

2020-01-08 12:59:09 (743) Default-thread-15 010540AC1BD68010D026751BDD4BCB29 txid=09258c6c1bd6 *** Start #38125 /xmlhttp.do, user: user email address ... 2020-01-08 12:59:09 (772) Default-thread-15 010540AC1BD68010D026751BDD4BCB29 txid=09258c6c1bd6 *** Script: Just instantiated SAML2_update1 2020-01-08 12:59:09 (773) Default-thread-15 010540AC1BD68010D026751BDD4BCB29 txid=09258c6c1bd6 *** Script: Read from column : esig_idp_authnrequest_url, value: null 2020-01-08 12:59:09 (773) Default-thread-15 010540AC1BD68010D026751BDD4BCB29 txid=09258c6c1bd6 *** Script: Read from column : idp_authnrequest_url, value: https://avanir.okta.com/app/avanirpharmaceuticalsinc_servicenowud20project2tempesignature_1/exk1gc2unyw9AVjn11d8/sso/saml ... 2020-01-08 12:59:09 (942) Default-thread-15 010540AC1BD68010D026751BDD4BCB29 txid=09258c6c1bd6 *** Script: Redirecting to: <a href="https://avanir.okta.com/app/avanirpharmaceuticalsinc_servicenowud20project2tempesignature_1/exk1gc2unyw9AVjn11d8/sso/saml?SAMLRequest=nVPLbtswEPwVgXe9GMu2CMuAaqOogTQ1YjeHXgKG3NhMJFLlknLy95FkBUiLNkBy5c7OzO4sF8jrijas9O6or%2BG3B3TBU11pZOdKQbzVzHBUyDSvAZkTbFd%2Bv2Q0SlhjjTPCVCQoEcE6ZfTKaPQ12B3YVgn4eX1ZkKNzDbI45i3XyjZHbmsuwDsleIUO6oZGeIaH2pwiYepYjDSRNCRYd66U5j3932SReXR86OBN828BpcXtSN%2Bxe0mTzvYDCEd7aUB16Ki9hds0hqfH9CCo18%2BnvLx50Gkq5zGiiftlkOCrsQKGVRXEWQ8k2KwLsrtacTrNxJ2cwmQ%2ByabZLMsBLtIsn00uZEon0w6IW46oWijIfeepb0X0sNHouHYFoQlNwiQNk%2FmeJizLWZJHs9n8Fwm2446%2FKC2VPrwfyN0ZhOzbfr8Ntz92%2B4GgVRLsVYf%2BVBaatw0%2FwBDFDVgcYujUyHIxHAkbRrFv7%2BZ9l%2Fz1WMjy43YW8VvR0ULD%2Buk2662plHgOyqoyp5UF7uA1qS67mrv%2F%2B0qjdHhRMrwfoAxqrqpSSguIJF6Oun%2F%2BleUL">https://avanir.okta.com/app/avanirpharmaceuticalsinc_servicenowud20project2tempesignature_1/exk1gc2unyw9AVjn11d8/sso/saml?SAMLRequest=nVPLbtswEPwVgXe9GMu2CMuAaqOogTQ1YjeHXgKG3NhMJFLlknLy95FkBUiLNkBy5c7OzO4sF8jrijas9O6or%2BG3B3TBU11pZOdKQbzVzHBUyDSvAZkTbFd%2Bv2Q0SlhjjTPCVCQoEcE6ZfTKaPQ12B3YVgn4eX1ZkKNzDbI45i3XyjZHbmsuwDsleIUO6oZGeIaH2pwiYepYjDSRNCRYd66U5j3932SReXR86OBN828BpcXtSN%2Bxe0mTzvYDCEd7aUB16Ki9hds0hqfH9CCo18%2BnvLx50Gkq5zGiiftlkOCrsQKGVRXEWQ8k2KwLsrtacTrNxJ2cwmQ%2ByabZLMsBLtIsn00uZEon0w6IW46oWijIfeepb0X0sNHouHYFoQlNwiQNk%2FmeJizLWZJHs9n8Fwm2446%2FKC2VPrwfyN0ZhOzbfr8Ntz92%2B4GgVRLsVYf%2BVBaatw0%2FwBDFDVgcYujUyHIxHAkbRrFv7%2BZ9l%2Fz1WMjy43YW8VvR0ULD%2Buk2662plHgOyqoyp5UF7uA1qS67mrv%2F%2B0qjdHhRMrwfoAxqrqpSSguIJF6Oun%2F%2BleUL ... 2020-01-08 12:59:43 (197) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 #38131 /consumer.do Parameters ------------------------- RelayState= SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwczovL2F2YW5pcnBoYXJtYWNldXRpY2Fsc3RlbXAyLnNlcnZpY2Utbm93LmNvbS9jb25zdW1lci5kbyIgSUQ9ImlkNDMzMTg5NzMxNTY0ODk2OTE0MzQyMjY5NTAiIEluUmVzcG9uc2VUbz0iU05DYTI2NWNiZDZlNDg0NTY1NzU5ZWUzMTU5NzQzZDEyNDYiIElzc3VlSW5zdGFudD0iMjAyMC0wMS0wOFQyMDo1OTo0Mi45MzlaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3d3dy5va3RhLmNvbS9leGsxZ2MydW55dzlBVmpuMTFkODwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJ... 2020-01-08 12:59:43 (198) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Start #38131 /consumer.do, user: user email address ... 2020-01-08 12:59:43 (227) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Signature validated. 2020-01-08 12:59:43 (228) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Step 1/5: Signature validation is successful 2020-01-08 12:59:43 (228) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Certificate validated. 2020-01-08 12:59:43 (229) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Step 2/5: Certificate validation is successful 2020-01-08 12:59:43 (229) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Read from column : audience, value: https://instancename.service-now.com 2020-01-08 12:59:43 (229) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Found matching audience. 2020-01-08 12:59:43 (230) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Conditions validated. 2020-01-08 12:59:43 (230) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Step 3/5: AudienceRestriction/Condition validation is successful 2020-01-08 12:59:43 (230) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Read from column : idp, value: http://www.okta.com/exk1gc2unyw9AVjn11d8 2020-01-08 12:59:43 (231) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Issuer validated. 2020-01-08 12:59:43 (231) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Step 4/5: Certificate Issuer validation is successful 2020-01-08 12:59:43 (233) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 SEVERE *** ERROR *** SAML2: SAML2ValidationError: Recipient attribute in SubjectConfirmationData mismatch. Expected: https://instancename.service-now.com /consumer.do , Actual: https://instancename.service-now.com /navpage.do 2020-01-08 12:59:43 (235) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 SEVERE *** ERROR *** SAML2: SAML2ValidationError: No valid SubjectConfirmation found. 2020-01-08 12:59:43 (236) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** Script: Could not validate SAMLResponse ... 2020-01-08 12:59:43 (247) Default-thread-6 010540AC1BD68010D026751BDD4BCB29 txid=d945c0ac1bd6 *** End #38131 /consumer.do, user: user email address, total time: 0:00:00.056, processing time: 0:00:00.056, SQL time: 0:00:00.001 (count: 12), source: 63.110.238.66

_____________________________________________________________________

Release All releases

Cause When the user is login vis SSO by IDP record A, the http session (getHttpSession) is from navpage.do, however after that, when the user attempts to process the e-Signature approval via SSO by IDP record B, the e-sig sends SAML request in consumer.do (usually is the value in the 'Assertion Consumer URL for eSignature authentication' of IDP record B)

As a result it breaks the function 'validateRecipientAttribute' in script include 'SAML2_update1', so the system will log key message in error log - "Recipient attribute in SubjectConfirmationData mismatch." from the function 'validateRecipientAttribute'.

https://instancename.service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=5cfc38231b00200000009141be0713ef

Resolution Comment out the function 'validateRecipientAttribute' in script include 'SAML2_update1', the issue will be fixed.