Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Troubleshooting errors in SAML2 configuration

By Karl Newstead
  • Last updated
⌘ K
Search this article
Print this article

Setting up SSO via SAML2 requires change to a number of configuration settings.  It's error-prone, and if something goes wrong most of the time you will see a fairly bland and unhelpful 500 error or 'something has gone wrong' message.  At that point the next step is to activate logging in the 3rd party tool we use for SAML, as described here:  Enabling logging for SSO via SAML2

 

mceclip0.png

 

mceclip1.png

 

Interpreting the log

After logging is activated, when the system next starts up a text file will be created in the Logs subfolder of the application. It is a dense mass of debugging information, but there are a number of key errors that highlight config problems.  It will normally be necessary to  scroll down a few dozen lines - often searching for the word 'exception' is a help.

Below are listed a number of config issues and their errors.

The specified network password is not correct

Error message:

2768/7: 18/09/2021 14:51:44: Exception: ComponentSpace.SAML2.Exceptions.SAMLCertificateException: The X.509 certificate could not be loaded from the file C:\inetpub\wwwroot\Pentana60\SamlMvc\Certificates\PentanaAudit.pfx. ---> System.Security.Cryptography.CryptographicException: The specified network password is not correct.

Cause/solution:

In Saml.config, the password specified for LocalCertificatePassword is incorrect.  

Change to the password that matches the PFX file, save and restart the app pool.

The system cannot find the file specified - local

Error message:

5648/15: 18/09/2021 14:58:55: Exception: ComponentSpace.SAML2.Exceptions.SAMLCertificateException: The X.509 certificate could not be loaded from the file C:\inetpub\wwwroot\Pentana60\SamlMvc\Certificates\PentanaAuditx.pfx. ---> System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

Cause/solution:

In Saml.config, the path to the local PFX file is not specified for LocalCertificateFile correctly.  

Correct the path, save and restart the app pool.

The system cannot find the file specified - partner

Error message:

In this case the UI shows the error, as well as the log:

ComponentSpace.SAML2.Exceptions.SAMLCertificateException: The X.509 certificate could not be loaded from the file C:\inetpub\wwwroot\Pentana60\SamlMvc\Certificates\SAML2Providerx.cer. ---> System.Security.Cryptography.CryptographicException: The system cannot find the file specified.


mceclip2.png

Cause/solution:

In Saml.config, the path to the partner PFX file is not specified for PartnerCertificateFile correctly.  

Correct the path, save and restart the app pool.

SignAuthnRequest is FALSE

Error message:

The beginning of the error message is:

2608/7: 18/09/2021 15:12:06: The SAML response signature verified.
2608/7: 18/09/2021 15:12:06: Exception: ComponentSpace.SAML2.Exceptions.SAMLErrorStatusException: An error SAML response status was received. urn:oasis:names:tc:SAML:2.0:status:Responder
2608/7: 18/09/2021 15:12:06: at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

Cause/solution:

In Saml.config, SignAuthnRequest is specified as FALSE, but should be TRUE.

Correct this, save and restart the app pool.

AssertionConsumerServiceUrl is wrong

Error message:

Where the wrong AssertionConsumerServiceUrl has been specified in Saml.config, the user will see their IdP login screen display an error similar to:

mceclip3.png

The error details will be similar to:

Activity ID: edf30ac9-c2ad-4d25-2c00-0080000000b2
Relying party: Ideagen Internal Audit (Aura)
Error details: MSIS3200: No AssertionConsumerService is configured on the relying party trust 'http://testserver/Pentana60/PentanaSSO' that is a prefix match of the AssertionConsumerService URL 'https://testserver/Pentana60/samlmvc/SSO/ACSx' specified by the request.
Node name: dc19f4c3-0d35-4e74-8406-963338796255
Error time: Sat, 18 Sep 2021 17:31:05 GMT
Return status: 500
Cookie: enabled
User agent string: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)

Cause/solution:

In Saml.config, the wrong URL is specified as AssertionConsumerServiceUrl.

Correct this, save and restart the app pool.

UPN is not mapped to Name ID

It is a requirement that the partner maps UPN to Name ID.  If this is not done, or UPN is mapped to a different field, the user will see the HTTP500 error screen and the following in the log - note that there is no value (or a nonsensical value) after Name ID:

4856/7: 18/09/2021 17:37:00: Service provider session (kdm2xuz11vhksfptenzklthr) state:
SSO session state:
Partner name: http://adfs.testnet.com/adfs/services/trust
Name ID:

4856/7: 18/09/2021 17:37:00: An SSO response from the partner identity provider http://adfs.testnet.com/adfs/services/trust has been successfully received.

Normally you would expect to see:

Name ID:  username@domain.com

The administrator of the partner server should correct the mapping.

IdP server is not available

If IdP server is down or not available the user will see some variant of the following at login:

mceclip4.png

 

 

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page