How Can We Help?
Troubleshooting SAML Authentication ErrorsTroubleshooting SAML Authentication Errors
What
When setting up and using SAML authentication, you can run into various errors.
Below is an outline of some of the common errors encountered alongside the reasoning/ resolutions.
How
Below are possible SAML authentication errors that you can receive and what these mean/ how to troubleshoot.
NOTE: These are just some examples that clients have experienced lately with SAML.
Example 1
Stacktrace
org.springframework.security.userdetails.UsernameNotFoundException: Could not load user for assertion 'org.springframework.security.saml.SAMLCredential@2085d35a'. User id=14947749. There was no shared username configured at dk.atira.pure.server.services.impl.security.authentication.saml2.SamlPureUserOrSharedUserLookup.loadUserBySAML(SamlPureUserOrSharedUserLookup.java:70) at org.springframework.security.saml.SAMLAuthenticationProvider.getUserDetails(SAMLAuthenticationProvider.java:138) at
- The reason why the institutional login does not work here is because the username inside Pure did not match the one Pure got from the your institutional login. To solve change the username inside pure to match that of the institutional login (i.e. 14947749 in this error).
Example 2
Stacktrace
2020-03-02 21:08:37,070 o.s.s.s.w.WebSSOProfileConsumerImpl Validation of received assertion failed, assertion will be skipped org.springframework.security.CredentialsExpiredException: Authentication statement is too old to be used
- The issue is a difference in the time settings in the your Pure and your Single Sign Up server (the one running on: https://login.clietname). We would need you to investigate if the time setup in your Single Sign Up server is correct. The clock should be in sync with NTP. Getting the server in sync with the NTP service should ensure that your login works again.
Example 3
Stacktrace
[ERROR 20191113060651 :geListener: HTTPMetadataProvider] Error retrieving metadata from https://auth.tees.ac.uk/FederationMetadata/2007-06/FederationMetadata.xml java.net.SocketTimeoutException: Read timed out
- This can happen when there is an outage on receiving the metadata file: https://auth.tees.ac.uk/FederationMetadata/2007-06/FederationMetadata.xml so when the file for some reason is not available, then Pure is very vulnerable about this.
- Customers on versions 5.16 and under: If they experience problems logging in then it should be enough for us to access their Pure and try to disable and enable SSO; this should allow SSO to start working again.
- Customers on versions 5.17+: Pure 5.17.0 has improvements regarding how Pure handles activation and deactivation of the SSO systems, so the error here should not be able to occur unless someone actually updates the SSO configurations in Pure and that the file at https://auth.tees.ac.uk/FederationMetadata/2007-06/FederationMetadata.xml isn't available at that time.
Example 4
Stacktrace
The ACS url can be found in their Pure metadata (requires SAML to be enabled in their Pure) (https://<client Pure>/admin/saml/metadata) It looks something like: https://<client Pure>/admin/saml/SSO/alias/pure
- The problem here is that the certificates was incorrect even though the UI said they were valid. The certificates needs to be created with the correct format for them to actually work. You can read more about how this is done on in Generating SAML Certificates and Private Keys. Note, this is only relevant for MS Azure.
Example 5
Stacktrace
ERROR 20220428073031 :geListener: HTTPMetadataProvider] Error retrieving metadata from https://pure/federationmetadata/2007-06/federationmetadata.xml java.net.ConnectException: Connection timed out (Connection timed out) [ERROR 20220428073031 :geListener: AbstractMetadataProvider] Metadata provider failed to properly initialize, fail-fast=true, halting org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://pure/federationmetadata/2007-06/federationmetadata.xml Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://pure/federationmetadata/2007-06/federationmetadata.xml at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [ERROR 20220428073031 :geListener: AbstractAuthenticationMechanism] Could not activate authentication mechanism java.lang.IllegalStateException: Configuration of metadata seems to be invalid
- Error indicates that Pure was unable to access the metadata definition found at (for example) https://pure/federationmetadata/2007-06/federationmetadata.xml. When this happens it's usually a firewall issue on the client side causing a block (e.g. an ip address being blocked on the client side).
Example 6
Stacktrace
[invalid_signature] Invalid assertion [_c2d5825d-fd3e-4e1e-ae9d-8fb757872500] for SAML response [_03dc6146-9038-40b2-b31b-09c14e9c7c99]: Signature of Assertion '_c2d5825d-fd3e-4e1e-ae9d-8fb757872500' from Issuer 'https://sts.windows.net/xxxxxxxx/' was not valid
- Error indicates that the saml message from IdP is signed wrong. the certificate used is not in the IdP metadata. When this happens it may be caused by the link to the idP metadata is a general one (metadata.xml) and not application specific (metadata.xml?appid=564097643-853b-4be4-82bb-abcd6df2d8f5app)
Example 7
Did not decrypt response since it is not signed
If you encounter an error similar to this (in the SSO authentication configuration):
Saml2AuthenticationException{error=[invalid_signature] Did not decrypt response [_1234abc5-ef6g-7hij-klmn-8910op11qr123] since it is not signed}That contains the text: Did not decrypt response since it is not signed, in the log found on the SAML SSO configuration page.
Then this could indicate that the customer IdP is using an unsafe configuration, where encryption is turned on but not signing.
To fix this you should reach out to their IT department and get them to turn on signing for SAML responses so I would like to ask you to try the following:
- In the IdP run the following command Get-AdfsRelyingPartyTrust -Name <Name> (Do replace <Name> with the appropriate name)
- Then you should look for the values
SignedSamlRequestsRequired
SamlResponseSignature
- If SignedSamlRequestsRequired = false or SamlResponseSignature is not MessageAndAssertion then you need to update that using the following command
Get-AdfsRelyingPartyTrust -Name "<Name>" | Set-AdfsRelyingPartyTrust -SignedSamlRequestsRequired $true
Get-AdfsRelyingPartyTrust -Name "<Name>" | Set-AdfsRelyingPartyTrust -SamlResponseSignature MessageAndAssertion
If you do not have access to the command line of the IdP then do go to the settings of your IdP and see if you can find similar settings in the UI.
Please allow for some time to get the IdP changes to sync (it can take up to an hour depending on the IdP set-up).
Updated at November 08, 2024