Symptoms
Users are unable to authenticate and launch a Virtual App from Horizon. getting Error: HTTP error 500SAML is failing to refresh Metadata from Horizon to WS12 SAML Authenticators are configured in the Horizon Broker.
Sample Screenshot:
Horizon Server Logs may show loglines similar to the following Collecting VMware Horizon View log bundles (1017939)
2021-12-27T12:03:36.507-05:00 ERROR (10EC-18C4) <SAMLAuthenticatorHealthUpdate> [AbstractReloadingMetadataResolver] Error occurred while attempting to refresh metadata from 'https://workspaceone.example.com/SAAS/API/1.0/GET/metadata/idp.xml' org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.refresh(AbstractReloadingMetadataResolver.java:294)
Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 14; DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
.....
Caused by: org.opensaml.core.xml.io.UnmarshallingException: net.shibboleth.utilities.java.support.xml.XMLParserException: Unable to parse inputstream, it contained invalid XML
Decryption errors may also potentially be seen:
[Decrypter] (SESSION:xxxx_***_xxxx) Error decrypting encrypted key org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:717) org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed Original Exception was java.security.InvalidKeyException:
Unwrapping failed at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1499) at
Resolution
Remove the problematic SAML authenticator from the Horizon environment.For more information on SAML, please see the following documentation: Configure a SAML Authenticator in Horizon Console and Response Time Considerations for Multiple Dynamic SAML Authenticators .
Workaround
Do not configure any SAML authenticator in Horizon until it is fully commissioned.
