The problem occurs when the ADFS server and the Blackboard Learn application server have a time drift close to or beyond the default of 60 seconds. For ADFS, the default configuration for the Entity ID would be https://[Learn Server Hostname]/auth-saml/saml/SSO. Solution 2. INFO | jvm 1 | 2016/08/16 10:49:22 | - /saml/SSO at position 4 of 10 in additional filter chain; firing Filter: 'FilterChainProxy' . atsun.reflect.GeneratedMethodAccessor1652.invoke(Unknown Source) atorg.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87) 02:27 AM If for any reason an updated/new IdP metadata XML file is uploaded in the Blackboard Learn GUI on the SAML Authentication Settings page in the Identity Provider Settings section for a SAML authentication provider, the SAML B2 and that SAML authentication provider should also be toggled Inactive/Available, while having the SAML authentication provider in 'Active' status, to ensure any cached IdP metadata is cleared out and the updated IdP metadata is fully utilized. atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144) atorg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) atjava.security.AccessController.doPrivileged(Native Method) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) Using the debug above you get to see the actual creation of SAML-requests being sent between the ASA and the IdP. The Assertion Consumer Service URL found in the SP metadata is used by the IdP to redirect the user back to the SP and provide information about the user's authentication attempt. For IdPs, this is most commonly the Single Logout Service and Single Sign-On Service. Please note that even the IDP Entity ID is a URL, it is not a friendly name that you can pick yourself so to speak. [CDATA[// >
?>