When using SAML for SSO, you may encounter errors that prevent you from completing a task. In this article, we’ll list some common SAML SSO errors and why you may encounter them.
Note: You should be able to troubleshoot most SSO errors. For any errors not listed here, please contact Skilljar support for assistance.
Further resources
- SSO: Using Single Sign-On (SSO)
- Configuring SAML 2.0 for Single Sign-On (SSO)
- Quick tip video overview
SAML Troubleshooting
Troubleshooting SSO can be difficult, so understanding how it works and where things are breaking within the flow can be beneficial in debugging.
These are just some things to keep in mind when troubleshooting SSO issues:
- Misconfigurations in the settings are typically the root cause – start here when dealing with SSO issues.
- Capturing the network requests/responses using the browser’s developer tools can also help pinpoint where in the SSO flow things are breaking.
- For example, if the SAML flow errors on the initial redirect to the SingleSignOnService URL, it’s likely that there’s a misconfiguration with either the SP Entity ID or the SingleSignOnService URL itself.
- If the SSO flow breaks after the user signs in through the Identity Provider, it’s likely that there’s a setting misconfiguration with the AssertionConsumerService URL, IdP Entity ID (Issuer), Identity Provider’s x509 certificate, or possibly the user doesn’t have the right permissions to access Skilljar.
Note: You can create a log of network requests that are generated in your browser whenever an issue occurs. This is called a HTTP archive format, or HAR file. HAR files may include sensitive data, such as the content of the pages you downloaded while recording the logs. If you contact Skilljar support, we may ask for your HAR file to further analyze the error.
You can generate a HAR file from the developer tools within the settings of the browser you are using. Please see the specific help documentation for your chosen browser to learn more.
SAML common errors
What an error may look like
When you receive an error message, it may look like this:
1 invalid_response 2 3 https://example.skilljar.com/ is not a valid audience for this response |
Errors
- Invalid response - URL not a valid audience for this response
- Invalid response - Signature verification failed. SAML Response rejected
- App/service is not configured for this user
- Unable to resolve request into a Service Provider
- Exception Value - null value in column "user_id" violates not-null constraint
- Missing ID attribute on SAML Response - invalid response
- Not match the SAML schema protocol 2.0.xsd - Invalid response
- Time data '2017-06-28T02:19:59.1690618Z' does not match format '%Y-%m-%dT%H:%M:%S.%fZ' - Invalid response
- Urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Invalid response - URL not a valid audience for this response
Reason:
- Make sure your entity ID on your side matches what is displayed in the error message (including the trailing slash /)
- Confirm that you’ve added your Skilljar domain to your list of “authorized audiences.”
Invalid response - Signature verification failed. SAML Response rejected
Reason:
You may experience this error when your SAML assertion’s signature verification has failed. Confirm that you have the correct IdP x509 certificate configured.
If the issue still persists, try configuring your SAML settings again. If that doesn’t work, please reach out to our support team for assistance.
App/service is not configured for this user
Reason:
The user who is trying to use SSO does not have the right permissions, so please double-check to make sure the user has SSO permissions enabled.
Unable to resolve request into a Service Provider
Reason:
Make sure your service provider (SP) entity ID matches your domain name. This may be caused by common mistakes, such as using http vs https, and not including the trailing slash, “/”.
Exception Value - null value in column "user_id" violates not-null constraint
Reason:
This error could appear for various reasons:
- The email address may not be correct
- The email address may not be included in the SAML response. Check your SAML assertion (such as your HAR file) and view the SAML authentication record in the admin panel to confirm if an email address was included.
Missing ID attribute on SAML Response - invalid response
Reason:
The ID may be missing within the SAML response.
Not match the SAML schema protocol 2.0.xsd - Invalid response
Reason:
Remove white space from within the issuer and make it all one line. Example:
Change
1 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
2 https://api-dev.rapidsos.com/v1/scorpius/
3 </saml:Issuer>
To
1 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://api-dev.rapidsos.com/v1/scorpius/</saml:Issuer>
Time data '2017-06-28T02:19:59.1690618Z' does not match format '%Y-%m-%dT%H:%M:%S.%fZ' - Invalid response
Reason:
Make sure the relevant timestamp is in the proper format: '%Y-%m-%dT%H:%M:%S.%fZ'
Urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Reason:
The user may not have permission to access the SP. If so, you can update this in your identity provider (IDP), which is where all of your student information lives.