Troubleshooting
Enabling Debug Mode
Ensure Debug mode is enabled under Settings > System > Integrations Hub > SAML Admin Authentication > General. This will ensure the Log is being written to with the most detailed level messages.
Troubleshooting
| Error | Cause | Solution |
|---|---|---|
Unsupported SAML version | Identity Provider (IdP) is not using SAML 2.0 | Go to your Single Sign-On (SSO) provider and update to SAML 2.0. |
Missing Status on response | Maybe due to Single logout (SLO) process failure. | Confirm SLO configuration settings. |
Missing Status Code on response | Maybe due to Single logout (SLO) process failure. | Confirm SLO configuration settings. |
Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd | Logout request does not match the SAML 2.0 schema. | Make sure your SAML Logout Request adheres schema protocol for SAML 2.0. |
The assertion of the Response is not encrypted and the Service Provider (SP) requires it | Your SAML integration configuration requires the assertion to be encrypted. | Adjust the value of Require Encrypted Assertions on the integration Security tab. |
The NameID of the Response is not encrypted and the SP requires it | Your SAML integration configuration requires the NameID to be encrypted. | Adjust the value of Name Id Encrypted on the integration Security tab. |
The Assertion must include a Conditions element | A conditions element can not be identified in the IdP response. | Ensure that the SAML response assertion for your IdP includes a conditions element. |
The Assertion must include an AuthnStatement element | A AuthnStatement element can not be identified in the Identity provider's response. | Ensure that the SAML response assertion for your identity provider includes an AuthnStatement element. |
There is an EncryptedAttribute in the Response and this SP not support them | An encrypted attribute has been identified and is not supported. | Check the settings for your IdP and make sure no attribute is encrypted. |
Invalid audience for this Response (expected '...', got '...') | The EntityId specified does not match the expect value. | Verify the value of Entity Id on the integration Service Provider tab. By default this will be set to the metadata URL. Some IdPs require this to be overridden with a specific value, which can be entered here. |
Issuer of the Response is multiple. | The issuer value in the response is not the expected value. | Verify the value of Single Sign-On URL on the integration Identity Provider tab. Make sure the value matches the Single Sign-On URL provided by your IdP. This represents the URL to send the initial authentication request to. This is usually found in the SingleSignOnService tag, only the HTTP-Redirect binding tag is currently supported. |
Issuer of the Assertion not found or multiple. | The issuer value in the response is not the expected value. | Verify the value of Single Sign-On URL on the integration Identity Provider tab. Make sure the value matches the Single Sign-On URL provided by your identity provider. This represents the URL to send the initial authentication request to. This is usually found in the SingleSignOnService tag, only the HTTP-Redirect binding tag is currently supported. |
The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response | The SAML session has expired. | Retry logging in. If that doesn’t work, extend the expiration window for your SAML response in your IdP, as it may be too short. |
A valid SubjectConfirmation was not found on this Response | The SubjectConfirmation value was not as expected. | Check the settings for your Identity provider and look for the subject confirmation method. Make sure it’s formatted correctly. |
The Assertion of the Response is not signed and the SP requires it | The IdP signs the Response only, but not the Assertion. | Adjust the value of Require Signed Assertions on the integration Security tab. |
No Signature found. SAML Response rejected | An issue has been found in the signatures of incoming SAML messages. | Check that the SAML message from your IdP is properly signed. Verify the value of Lowecase Url Encoding and Signature Algorithm on the integration Security tab. ADFS URL-Encodes SAML data as lowercase. By default the integration uses uppercase. Enable Lowercase Url Encoding for ADFS compatibillity on signature verification. The signature algorithm that is used for the signing process defaults to rsa-sha256, but can be changed if the IdP expects a different algorithm. Note: rsa-sha1 is not supported by Jadu Connect. |
The LogoutRequest was received at ... instead of ... | The Service Provider Assertion Consumer Service URL in the IdP SAML configuration may be incorrect. | Verify that you're using the correct URL and try again. |
Could not validate timestamp: not yet valid. Check system clock. | Time mismatch between Identity Provider and Jadu Connect. | If the IdP and Jadu Connect are present in different time zones, there may be a time mismatch. Adjust the time and try again. |
Could not validate timestamp: expired. Check system clock. | Time mismatch between Identity Provider and Jadu Connect. | A time mismatch may occur if the IdP and Jadu Connect are in different time zones. Ensure that both systems are synchronised, then try again. |
An empty NameID value found | NameId element in SAML response is not as expected. | Check with IdP vendor and then verify the value of User Identifier Attribute on the integration Matching Attributes tab. The SAML attribute which holds the unique user identifier for the user. If left empty, the value of the NameId element in the SAML response will be used. If your IdP sets a transient NameId then a specific attribute should be specified otherwise users will lose access to their data on subsequent logins. |
User's email already in use for new user: [...] | A user account already exists in Jadu Connect with the email address but is not linked to a SAML account | Find the user record and add the SAML ID to the user record. |
Error while configuring the SAML adapter: "SETTINGS_INVALID" | An issue has been found in the settings of the SAML Admin Authentication integration | Verify that the settings are correct. |
The SAML attributes "user_email_attribute" for the user [...] are missing | The User email attribute was not present in the SAML response. | Check with IdP vendor and then verify the value of User Email Attribute on the integration Matching Attributes tab. The SAML attribute which holds the email address for the user. |
SAML SSO response is invalid: "SAML adapter invalid response: "1 Signature validation failed. SAML Response rejected" with adapter errors: "invalid_response"" errors: [invalid_response] | An issue has been found in the signatures of incoming SAML messages. | Check that the SAML message from your IdP is properly signed. Ensure the signature algorith is not SHA1 |
| I don't see the alternative sign-in options when trying to log in | You are viewing the Public Login page or SAML Admin Authentication is not enabled | Ensure the URL of the login page ends with /q/login/admin. Ensure the SAML Admin Authentication integration is enabled and configured. If signing in from Jadu CMS or Jadu Central, ensure you have Jadu CMS version 21.1.0 or later, or Jadu Central version 1.0.0 or later installed. |
| Page Not Found when logging in from Jadu Central | The OAuth Client isn't compatible with Jadu CMS/Central | In Jadu Connect ensure the OAuth Client used by Jadu CMS/Central site has Jadu CMS compatible checked |
| User's email already in use for new user: [email], [NameID] | A Jadu Connect user exists with the email address but they either don't have the SAML External ID set or its value does not match the NameID in the SAML Response | Check the Jadu Connect user record SAML External ID is set and its value matches the NameID value provided in the SAML Response. The NameID expected is the string after the [email], in the log message. |