OneLogin - SAML Assertion Warning – “Invalid Authentication Request” Logged in Events (4383147)

Feedback submitted.

Did this article solve an issue for you?

[Select Rating]

Title

OneLogin - SAML Assertion Warning – “Invalid Authentication Request” Logged in Events
Description
Administrators may notice repeated SAML assertion warning events in OneLogin logs stating “Invalid Authentication Request”, even though users successfully authenticate and the application functions as expected.

This warning typically indicates that the Assertion Consumer Service (ACS) URL used by the Service Provider is not properly validated or whitelisted in the OneLogin application configuration.
Symptoms
- Users can successfully access the SAML application via OneLogin.
- The OneLogin Events page shows warning entries such as:
```
SAML assertion warning for <user>
Invalid Authentication Request
```
- Event details often include:
  Assertion Consumer Service URL not whitelisted
  An ACS URL that includes path and/or query string parameters
- The warning may appear repeatedly for multiple users.
Cause
The ACS (Consumer) URL Validator field in the OneLogin application does not exactly match the ACS URL being used by the Service Provider.

Even when authentication succeeds, OneLogin generates a warning if the ACS URL:
- Contains dynamic components (such as query parameters), and
- Is not explicitly validated using a strict or regex‑based match
This behaviour helps highlight potential security mismatches in SAML request handling.
Resolution
Configure the ACS (Consumer) URL Validator to strictly validate the Assertion Consumer Service (ACS) URL used by the Service Provider.

The ACS (Consumer) URL Validator field expects a regular expression. The value must follow Ruby/Rubular regex notation, including proper escaping of special characters such as forward slashes.

Steps
1. In OneLogin, navigate to:
  Applications → (Affected Application) → Configuration
2. Locate the ACS (Consumer) URL Validator field.
3. Enter a regular expression that matches the exact ACS URL used by the Service Provider.
  
  Important formatting rules:
  - Forward slashes (/) must be escaped as \/
  - Special characters (such as ?, .) must be escaped where applicable
  - Use ^ and $ anchors to enforce an exact match
  - The expression should match:
    Protocol (https)
    Hostname
    Path
    Any required query parameters
  Example format:
  
  Plain Text
  
  ^https:\/\/example\.serviceprovider\.com\/saml\/acs\?param=value$
4. (Optional but recommended)
  Validate your regular expression using Rubular, which matches the regex engine used by OneLogin:
  
  👉 https://rubular.com
  
  Paste your regex into Rubular and test it against the full ACS URL to confirm it matches exactly.
5. Save the application configuration.
6. Have users access the application again to generate new authentication events.
Additional Information

The ACS Validator does not accept plain URLs; it must be a regex Failure to escape / characters will result in mismatches Regex-based validation is required when: Query parameters are present Multiple ACS endpoints exist The Service Provider dynamically constructs the ACS URL Advanced SAML Custom Connector >> https://onelogin.service-now.com/support?id=kb_article&sys_id=8a1f3d501b392510c12a41d5ec4bcbcc&kb_category=de885d2187372d10695f0f66cebb351f

See More OneLogin Articles

Feedback submitted.

Did this article solve an issue for you?

[Select Rating]

Request or Create a KB Article »

Search All Articles

Share your favorite Support content with a friend.

Email To
Email From
Subject	Information from Support
Message	You might be interested in the following information For more information regarding support on your Product, please visit www.software.dell.com/support

OneLogin - SAML Assertion Warning – “Invalid Authentication Request” Logged in Events (4383147)

Title

Description

Symptoms

Cause

Resolution

Steps

Additional Information

Leave a Comment