This article explains the various error scenarios and the best practices an SD agent can follow before assigning a ticket to an SME.
Most legacy SSO error messages, such as the following, are generic and don't highlight the root cause.
Error 400 bad request / Error "The status of the SAML request was not successful."
Review the following sample event log that depicts an error pattern:
"Inbound SAML login failed with message: The current time is before the time-range specified in the Assertion Conditions".
To resolve the issue, see Troubleshooting errors Federated ID (SSO).
In this case, the event log lists a generic error message that does not clearly identify the error. The following is an example of a generic error message.
Debugging the SAML log is the recommended approach toward resolving the issue. For more information, see How to capture SAML log.
In the SAML log, validate required attributes FirstName, LastName, Email & NameID format/value. The attribute names are case-sensitive. The values of the attributes should match the values specified for users in the Admin Console.
Here is a sample log with attribute names and their respective values.
The following is a sample error message in the event log that despite being undocumented provides clues to the possible error.
The error message indicates that the value of the attribute FirstName has not passed from the IDP in the SAML assertion for the particular user. To resolve the issue, check if the value of FirstName has passed in the SAML assertion log. If the value hasn't passed, check the value of the attribute in Active Directory.