Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            SAML Troubleshooting Guide

            Modified on Tue, 21 Apr at 1:16 PM

            TABLE OF CONTENTS


            Introduction

            This page lists out encountered errors or issues SAML implementation and their fixes or work around.

            Primarily for v68.


            The most common causes of SAML authentication not working.

            • Incorrect configuration of SynComPortal.xml
            • Synergetic Community Portal application not provisioned correctly at the SAML ID Provider.
            • Missing or invalid SAML signing certificate (Not required if using Azure Active Directory as the ID Provider)
            • Unable to find matching Community record in Synergetic - ie: the "claim" passed from the ID Provider needs to match with the Community 'NetworkLogin' name.


            Enable logging

            The first step to identify where the SAML authentication is failing is to enable logging in Community Portal

            1. Modify 'log4net.config' in the Community Portal application folder on the web server and change '<log4net threshold="OFF">' to '<log4net>'. The file will typically located in 'C:\inetpub\wwwroot\SynergeticCommunityPortal'.

            2. Give write access for 'IIS_IUSRS' group to the 'logs' folder in the Community Portal application folder. ie: C:\inetpub\wwwroot\SynergeticCommunityPortal\logs'.

            3. Restart Community Portal application pool on the web server.

            4. SAML authentication logs will be written to 'log_SAML.txt' and 'log_everything.txt' in the logs folder above.

            Attempt to login to Community Portal using SAML and analyse the log file. The log file will be comprehensive and detail all transactions between the ID Provider and Community Portal. Errors should be easily identifiable. The log will also contain encoded SAML packets which will need to be decoded before providing further information.


            Decoding SAML packets

            1. Use the online SAML decoder: https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp
            2. Copy the SAML encoded packet to the large input box, select 'POST' and click 'Decode'.
            3. Copy the returned decoded text and analyse the result. Errors should be easily identifiable.


            Error SAML101: No certificate file loaded to validate SAML login response

            With Azure AD we were never validating the certificate or signature of the assertion, we now do both and require the certificate to validate against.

            We have a default one provided by Microsoft under ~/Site/Certificates/AzureAAD.crt
            NOTE: PLEASE RENAME THIS AS REQUIRED AS THIS WILL BE REPLACED AFTER AN UPGRADE

            Ensure that the configuration key under Synergetic.xml or SynCommPortal.xml similar to below

            <SAMLLoginX509CertificatePath>~/Site/Certificates/AzureAAD.crt</SAMLLoginX509CertificatePath> <SAMLLogoutX509CertificatePath /> 
<SAMLLogoutX509CertificatePrivateKeyPassword />


            Error SAML212: Signed SAML response does not match certificate, NameID not found.

            The SAML Response does not contain a valid NameID attribute in the returned assertion, check the signature from Signed SAML response is match with the certificate.


            Error SAML306: You are not authorised or you have no permissions to access community portal.

            If using Azure AD the NameID attribute will return as a hash value, as a work around add in the following into the SynCommPortal.xml (do not use the CreateConfig tools as this removes this configuration) 

            <UseSAMLLegacyFlag>true</UseSAMLLegacyFlag> <SAMLRequestFormat>Base64Deflate</SAMLRequestFormat> <SAMLClaimAttributeName>Name</SAMLClaimAttributeName>


            SAML authentication request's RequestedAuthenticationContext's Comparison value must be "exact".

            Ensure that the SAMLComparisonMode configuration key under Synergetic.xml or SynCommPortal.xml is configured to EXACT

            <SAMLComparisonMode>exact</SAMLComparisonMode>


            Authentication failed, could not locate a user to load.

            The SAML Assertion NameID key does not contain a valid value that matches up with the NetworkLogin Field, Community ID or IDAMGUID.

            Ensure that the Network Login field is populated.  You can test the Stored Procedure that is called during a login by issuing the following (substitute <login> with the username you're trying)

            exec spsGetUserLoginData '<login>', null 

-- exec spsGetUserLoginData 'cda_main\jmicallef', null 
-- exec spsGetUserLoginData 'jmicallef@synergetic.onmicrosoft.com', null

            If the customer is using Azure AD (mode 15 or SAMLAAD) then the default NameID value is actually a hash.


            Example SAML Packet

            <samlp:Response ID="_9cfbf96a-c02a-4819-95f4-5c2bb1a26d65" Version="2.0" IssueInstant="2016-10-12T04:15:28.169Z" Destination="https://portal.school.net.au/login.aspx"" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_380a204d-7d4c-4726-b4fb-d6644d6c609a" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
     <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.school.net.au/adfs/services/trust</Issuer>;
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
     </samlp:Status>
     <Assertion ID="_e8766b54-6f38-4e98-b55d-e40609dab41f" IssueInstant="2016-10-12T04:15:28.169Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
         <Issuer>http://sso.school.net.au/adfs/services/trust</Issuer>;
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">;
             <ds:SignedInfo>
                 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"" />
                 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"" />
                 <ds:Reference URI="#_e8766b54-6f38-4e98-b55d-e40609dab41f">
                     <ds:Transforms>
                         <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"" />
                         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"" />
                     </ds:Transforms>
                     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"" />
                     <ds:DigestValue>/ENpDugui/8wAvKhC4RvLj++h3Y=</ds:DigestValue>
                 </ds:Reference> 
            </ds:SignedInfo>
             <ds:SignatureValue>OpL7x/VLd9+gqCObg3JsDL6EJsN3ohDloOCUOqnGqiyZQuH+rMXLo+2oOYwtdfuGsOD8vFv2YV5k/Nkon4OWD9SoHIXPQt4o2b8o0FQCuHR32iDeAcG5etjhQxlD+I8jkiEigrfE4MNDxsrgAkXPXEjnHs8gy4zzZ72bZjepJKUI2kOSrY+GbQD8hfyNiqICfboTO0jYkzjNh0u+LkyGdCVYhOaHUZwka//x8IONLjG2SUG4jKz5DwYUbJrL5EzAZg6JIRZN07JVWP/FFHAC+JdC93ploq1KfOjOP7zdt3MNGnnnK7lZ/P4Ok0qvy7XIAhERQr1iz02YE2ty8DjHrg==</ds:SignatureValue>             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">;                 <ds:X509Data>                     <ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQf2Me/jsB3Z5JZNxX85tzeTANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBzc28uYnJpc2JhbmVncmFtbWFyLmNvbTAeFw0xNTEwMDQwNDU4MjNaFw0xODEwMDMwNDU4MjNaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIHNzby5icmlzYmFuZWdyYW1tYXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VoVZUl3dyVmZNZ9wq0Kk7+69FVfWDLqwD5JB7zQKOyFA2erGyaesqBNuqp3IBONMPQzp814FTJ2WhdOqI48WVvr5ISccdFHtm54xxkJxPx1q4Gvl5A6yOR8KpUp9QeqbdImTNpfhm24xXp5ms4K47rXkkPT2TU9uLWUOV8KWP9owF0SJDfWwOSMBxM8A1AtdctkDZ42/OpPfL6Q+qcpZN7bq/byLwHViG/iUqRNgTBVRYbRa76SpyQ6lBwFNUTDoPB9D6ZwMlB2/glJy9YwxM1Ms/f/BPRhHJVOuWVRE7TNn7ASuYtQYA3VkCVZv3fa08jKYkPCj6/3Jz8GMg3iAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCP270KuXsDNmBHkH5Z/gtUEXsxTOqLVQBobIK4ycEhwFJBGukNv7wam1j0c2owN/sNEr0PIUMiJ8ZcabOh0DJ0g7zBZr63wNRHD8ycl6FB3DR8mpQfwlOC66+F7LIKH8Fxoq2pa62+gVpoKBgVVCSkETSivBwp642cQZdHFXh3Y+Oe/RbL6oecjtoZQnMfDKbn1hD8ZCosX8wbb2QkCK9gBwpvg2y17aBeXsU8KUQt3PjtVCOiTljk09EICGuv8LLFFxCWzpcBmgdKDGg6Ny7UE8EoyHRA5fkO0CdBGjmR2NI1i4XGizJ10CE8BqaWkm+EDjKWyOAzFYfIJqASVrGw</ds:X509Certificate>                 </ds:X509Data>
             </KeyInfo>
         </ds:Signature>
         <Subject>
             <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">DOMAIN\testuserfirstname.testuserlastname</NameID>
             <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                 <SubjectConfirmationData InResponseTo="_380a204d-7d4c-4726-b4fb-d6644d6c609a" NotOnOrAfter="2016-10-12T04:20:28.169Z" Recipient="https://portal.school.net.au/login.aspx"" />
             </SubjectConfirmation>
         </Subject>
         <Conditions NotBefore="2016-10-12T04:15:28.075Z" NotOnOrAfter="2016-10-12T05:15:28.075Z">
             <AudienceRestriction>
                 <Audience>https://portal.school.net.au/login.aspx</Audience>;
             </AudienceRestriction>
         </Conditions>
         <AttributeStatement>
             <Attribute Name="SAM-Account-Name">
                 <AttributeValue>testuserfirstname.testuserlastname</AttributeValue>
             </Attribute>
         </AttributeStatement>
         <AuthnStatement AuthnInstant="2016-10-12T04:10:31.638Z" SessionIndex="_e8766b54-6f38-4e98-b55d-e40609dab41f">
             <AuthnContext>
                 <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
             </AuthnContext>
         </AuthnStatement>
     </Assertion> </samlp:Response>

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0