Troubleshooting SAML integration errors
Jadu Central includes two SAML integrations - for authentication of website administrators and website users.
Enabling logging
Logs are enabled by default, but messages are not logged unless Debug mode is first enabled to minimise the load on production servers.
Should logging ever be disabled, it can be reenabled as follows:
- Log into your server, either by SSH or RDP depending on your environment.
- Open
config/logs.xmlin a file editor - Change the
enableattribute value totruefor the log you need to enable- Administrator integration logs are
samlAdminAuthenticationAdapter - Website user integration logs are
samlAuthenticationAdapter
- Administrator integration logs are
- Save the changes and clear the application cache.
Debug mode
When the debug option is enabled, all actions, errors, and available user attributes will be logged.
note
This option is very useful for diagnosing issues when initially setting up the adapter, however should be disabled on production environments due to the possibility of sensitive data being recorded.
The log files are available at:
// Website user integration
<JADU_PATH>/logs/samlAuthenticationAdapter/YYYY/MM/DD.log
// Administrator integration
<JADU_PATH>/logs/samlAdminAuthenticationAdapter/YYYY/MM/DD.log
Example of logs received for an authentication request:
[2019-07-03 15:00:40] samlAuthenticationAdapter.DEBUG: Received auth attributes
{"attributes":{"urn:oid:0.9.2342.19200300.100.1.1":["johnd"],"urn:oid:0.9.2342.19200300.
100.1.3":["johnd@local.box"],"urn:oid:1.3.6.1.4.1.5923.1.1.1.9":["member"],"urn:oid:2.5.
4.42":["John"],"urn:oid:2.5.4.4":["Doe"]}} []
Troubleshooting
| Error | Cause | Solution |
|---|---|---|
Unsupported SAML version | Identity provider is not using SAML 2.0 | Go to your Single sign on provider and update to SAML 2.0. |
Missing ID attribute on SAML Response | The ID attribute received from the Identity Provider does not include an ID attribute. | Check that you have the correct ID in your IdP setting and that it’s in the correct format. |
SAML Response must contain 1 assertion | Role assertation is missing from the Identity Provider's response. | Navigate to your SSO provider and make sure to include the role attribute in the SAML assertion. Role value must be one of the following: "owner," "admin," "manager," "analyst," "campaign_coordinator," "content_creator," "support." |
Missing Status on response | Maybe due to Single logout (SLO) process failure. | Confirm SLO configuration settings. |
Missing Status Code on response | Maybe due to Single logout (SLO) process failure. | Confirm SLO configuration settings. |
Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd | Logout request does not match the SAML 2.0 schema. | Make sure your SAML Logout Request adheres schema protocol for SAML 2.0. |
The assertion of the Response is not encrypted and the SP requires it | Your SAML integration configuration requires the assertion to be encrypted. | Adjust the value of Require Encrypted Assertions on the integration Security tab. |
The NameID of the Response is not encrypted and the SP requires it | Your SAML integration configuration requires the NameID to be encrypted. | Adjust the value of Name Id Encrypted on the integration Security tab. |
The Assertion must include a Conditions element | A conditions element can not be identified in the Identity provider's response. | Ensure that the SAML response assertion for your IdP includes a conditions element. |
The Assertion must include an AuthnStatement element | A AuthnStatement element can not be identified in the Identity provider's response. | Ensure that the SAML response assertion for your identity provider includes an AuthnStatement element. |
There is an EncryptedAttribute in the Response and this SP not support them | An encrypted attribute has been identified and is not supported. | Check the settings for your IdP and make sure no attribute is encrypted. |
Invalid audience for this Response (expected '...', got '...') | The EntityId specified does not match the exptect value. | Verify the value of Entity Id on the integration Service Provider tab. By default this will be set to the metadata URL. Some IDPs require this to be overridden with a specific value, which can be entered here. |
Issuer of the Response is multiple. | The issuer value in the response is not the expected value. | Verify the value of Single Sign-On URL on the integration Identity Provider tab. Make sure the value matches the single sign on URL provided by your identity provider. This represents the URL to send the initial authentication request to. This is usually found in the SingleSignOnService tag, only the HTTP-Redirect binding tag is currently supported. |
Issuer of the Assertion not found or multiple. | The issuer value in the response is not the expected value. | Verify the value of Single Sign-On URL on the integration Identity Provider tab. Make sure the value matches the single sign on URL provided by your identity provider. This represents the URL to send the initial authentication request to. This is usually found in the SingleSignOnService tag, only the HTTP-Redirect binding tag is currently supported. |
The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response | The SAML session has expired. | Retry logging in. If that doesn’t work, extend the expiration window for your SAML response in your Identity provider, as it may be too short. |
A valid SubjectConfirmation was not found on this Response | The SubjectConfirmation value was not as expected. | Check the settings for your Identity provider and look for the subject confirmation method. Make sure it’s formatted correctly. |
The Assertion of the Response is not signed and the SP requires it | The IDP signs the Response only, but not the Assertion. | Adjust the value of Require Signed Assertions on the integration Security tab. |
No Signature found. SAML Response rejected | An issue has been found in the signatures of incoming SAML messages. | Check that the SAML message from your Identity provider is properly signed. Verify the value of Lowecase Url Encoding and Signature Algorithm on the integration Security tab. ADFS URL-Encodes SAML data as lowercase. By default the integration uses uppercase. Enable Lowecase Url Encoding for ADFS compatibillity on signature verification. The signature algorithm that is used for the signing process defaults to rsa-sha256, but can be changed if the Identity Provider expects a different algorithm. Note: rsa-sha1 should be avoided as it is no longer considered secure. |
The LogoutRequest was received at ... instead of ... | The Service Provider Assertion Consumer Service URL in the IdP SAML configuration may be incorrect. | Verify that you're using the correct URL and try again. |
Could not validate timestamp: not yet valid. Check system clock. | Time mismatch between Identity Provider and Jadu Central. | If the IdP and Jadu Central are present in different time zones, there may be a time mimatch. Adjust the time and try again. |
Could not validate timestamp: expired. Check system clock. | Time mismatch between Identity Provider and Jadu Central. | If the IdP and Jadu Central are present in different time zones, there may be a time mimatch. Adjust the time and try again. |
An empty NameID value found | NameId element in SAML response is not as expected. | Check with identity provider vendor and then verify the value of User Identifier Attribute on the integration Matching Attributes tab. The SAML attribute which holds the unique user identifier for the user. If left empty, the value of the NameId element in the SAML response will be used. If your IdP sets a transient NameId then a specific attribute should be specified otherwise users will lose access to their data on subsequent logins. |