SAML 1.8.0 error on log on

stevieb · April 26, 2017, 3:08pm

Hi All,

I’m testing SAML authentication and I’m getting a generic error message: “Unexpected Error, please contact support.” Since I’m using docker, I do not really know how to check any logs dealing with the issue. Any advice?

Peter · April 27, 2017, 10:19am

Could you please let me know if you’ve followed the instructions here http://xibo.org.uk/manual-tempel/en/users_saml.html ?

We do have one CMS Instance in our cloud that we use for testing saml (it authenticates with our gmail email accounts) and that seems to work fine in 1.8.1.

As for logs, you could check CMS logs for more details - perhaps put your CMS in test mode as well.

stevieb · April 27, 2017, 8:55pm

Hi Peter,

Yes. I’m using Shibboleth for my IdP and I am being passed the following: givenname, email, PrincipalName and uid as attributes. My next question is does it matter if I keep ‘usertypeid’ blank in the mapping field?

stevieb · April 27, 2017, 9:03pm

I turn on logging and found this:

SAML SSO failed: invalid_response. Last Reason: The status code of the Response was not Success, was Requester -> An error occurred. Exception Type: OneLogin_Saml2_Error

What should be my next steps?

dan · April 28, 2017, 8:21am

I think that means the URL you have in your SAML configuration - i.e. your IdP - didn’t return a successful response. Can you double check the URL’s you’ve entered there for correctness?

Edit: Actually I dont think that is correct - I believe the document is being returned by your IdP, but the status code attribute is set to urn:oasis:names:tc:SAML:2.0:status:Requester with the message ‘An error occurred’

Is there any logging on the SAML side that might provide some insight?

stevieb · April 28, 2017, 8:06pm

ok, so it seems that NameFormatId variable needed to be set SAML:1.1 instead of 2.0. But now I’m getting a different error:

SAML SSO failed: invalid_response. Last Reason: Signature validation failed. SAML Response rejected Exception Type: OneLogin_Saml2_Error

So back to the logs I go.

dan · April 29, 2017, 8:55am

Sorry!!

That error would indicate that the response from the IdP did not match the expected specification. There is a validation tool you can use (if you can capture the response) here: Validate SAML XML Using XML Schema (XSD) - Validate XML Against XSD Online Tool

stevieb · May 10, 2017, 8:33pm

So it looks like now I have an error message of “No attributes could be mapped”. All fields in the mapping variable are full but the usertypeid. Any thoughts?