How Can We Help?
Troubleshooting SAML Authentication ErrorsTroubleshooting SAML Authentication Errors
What
When setting up and using SAML authentication, you can run into various errors.
Below is an outline of some of the common errors encountered alongside the reasoning/ resolutions.
How
Below are possible SAML authentication errors that you can receive and what these mean/ how to troubleshoot.
NOTE: These are just some examples that clients have experienced lately with SAML.
Example 1
Stacktrace
org.springframework.security.userdetails.UsernameNotFoundException: Could not load user for assertion 'org.springframework.security.saml.SAMLCredential@2085d35a'. User id=14947749. There was no shared username configured at dk.atira.pure.server.services.impl.security.authentication.saml2.SamlPureUserOrSharedUserLookup.loadUserBySAML(SamlPureUserOrSharedUserLookup.java:70) at org.springframework.security.saml.SAMLAuthenticationProvider.getUserDetails(SAMLAuthenticationProvider.java:138) at
- The reason why the institutional login does not work here is because the username inside Pure did not match the one Pure got from the your institutional login. To solve change the username inside pure to match that of the institutional login (i.e. 14947749 in this error).
Example 2
Stacktrace
2020-03-02 21:08:37,070 o.s.s.s.w.WebSSOProfileConsumerImpl Validation of received assertion failed, assertion will be skipped org.springframework.security.CredentialsExpiredException: Authentication statement is too old to be used
- The issue is a difference in the time settings in the your Pure and your Single Sign Up server (the one running on: https://login.clietname). We would need you to investigate if the time setup in your Single Sign Up server is correct. The clock should be in sync with NTP. Getting the server in sync with the NTP service should ensure that your login works again.
Example 3
Stacktrace
[ERROR 20191113060651 :geListener: HTTPMetadataProvider] Error retrieving metadata from https://auth.tees.ac.uk/FederationMetadata/2007-06/FederationMetadata.xml java.net.SocketTimeoutException: Read timed out
- This can happen when there is an outage on receiving the metadata file: https://auth.tees.ac.uk/FederationMetadata/2007-06/FederationMetadata.xml so when the file for some reason is not available, then Pure is very vulnerable about this.
- Customers on versions 5.16 and under: If they experience problems logging in then it should be enough for us to access their Pure and try to disable and enable SSO; this should allow SSO to start working again.
- Customers on versions 5.17+: Pure 5.17.0 has improvements regarding how Pure handles activation and deactivation of the SSO systems, so the error here should not be able to occur unless someone actually updates the SSO configurations in Pure and that the file at https://auth.tees.ac.uk/FederationMetadata/2007-06/FederationMetadata.xml isn't available at that time.
Example 4
Stacktrace
The ACS url can be found in their Pure metadata (requires SAML to be enabled in their Pure) (https://<client Pure>/admin/saml/metadata) It looks something like: https://<client Pure>/admin/saml/SSO/alias/pure
- The problem here is that the certificates was incorrect even though the UI said they were valid. The certificates needs to be created with the correct format for them to actually work. You can read more about how this is done on in Generating SAML Certificates and Private Keys. Note, this is only relevant for MS Azure.
Example 5
Stacktrace
ERROR 20220428073031 :geListener: HTTPMetadataProvider] Error retrieving metadata from https://pure/federationmetadata/2007-06/federationmetadata.xml java.net.ConnectException: Connection timed out (Connection timed out) [ERROR 20220428073031 :geListener: AbstractMetadataProvider] Metadata provider failed to properly initialize, fail-fast=true, halting org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://pure/federationmetadata/2007-06/federationmetadata.xml Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://pure/federationmetadata/2007-06/federationmetadata.xml at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [ERROR 20220428073031 :geListener: AbstractAuthenticationMechanism] Could not activate authentication mechanism java.lang.IllegalStateException: Configuration of metadata seems to be invalid
- Error indicates that Pure was unable to access the metadata definition found at (for example) https://pure/federationmetadata/2007-06/federationmetadata.xml. When this happens it's usually a firewall issue on the client side causing a block (e.g. an ip address being blocked on the client side).
Updated at July 27, 2024