Best practices for troubleshooting Single Sign On (SAML) issues

This article explains the various error scenarios and the best practices an SD agent can follow before assigning a ticket to an SME.

Initial isolation

Most legacy SSO error messages, such as the following, are generic and don't highlight the root cause. 

Error 400 bad request / Error "The status of the SAML request was not successful."

To identify the error, look for "Error Event Log" in Admin Console:

  1. Go to Settings > Identity
  2. Click the directory (tenant) name where the problem occurs.
  3. Click the Events tab, and select Error events for All Time.

All error events for the directory are listed in ascending order of date/time.

Event Log lists documented error

Review the following sample event log that depicts an error pattern:

"Inbound SAML login failed with message: The current time is before the time-range specified in the Assertion Conditions".

To resolve the issue, see Troubleshooting errors Federated ID (SSO).

Event Log lists an undocumented error

In this case, the event log lists a generic error message that does not clearly identify the error. The following is an example of a generic error message.

Unknown error

Debugging the SAML log is the recommended approach toward resolving the issue. For more information, see How to capture SAML log.

In the SAML log, validate required attributes FirstName, LastName, Email & NameID format/value. The attribute names are case-sensitive. The values of the attributes should match the values specified for users in the Admin Console.

Here is a sample log with attribute names and their respective values.

Undocumented event log provides clues

The following is a sample error message in the event log that despite being undocumented provides clues to the possible error.

The error message indicates that the value of the attribute FirstName has not passed from the IDP in the SAML assertion for the particular user. To resolve the issue, check if the value of FirstName has passed in the SAML assertion log. If the value hasn't passed, check the value of the attribute in Active Directory.

Логотип Adobe

Увійдіть до облікового запису