Overview
All or some users receive the message “An error occurred while attempting authentication through single sign-on (SSO)” when they try to login to Jive using Single Sign-On (SSO).
The following error messages may appear in the "Debugging information is available below" section at the bottom of the page:
- Authentication statement is too old to be used
- Response issue time is either too old or with date in the future
- Email already exists. This exception indicates a user marshalling error
- External identity already exists
Solution
<supportagent>
Support agents: If the issue persists after the customer you or the customer have followed the steps in this section, you will need to investigate the application logs (or Kibana for cloud customers) more closely. You can start the investigation by searching the logs for AuthNRequest;SUCCESS or AuthNRequest;FAILURE to determine if the issue is ongoing (successful logins will have AuthNRequest;SUCCESS).
Review the debugging information carefully, in particular, the "caused by" messages, as they will have the specific details of the issue.
</supportagent>
The solution to this issue depends on the number of users affected by it:
All users are affected/No-one can sign-in
This is most commonly caused by an update or change on the SSO Identity Provider (IdP) side that needs to be applied to your Jive instance. Typically this is a certificate update, however, there may be an IdP service outage that needs to be resolved.
Obtaining the following information from your SSO Identity Provider (IdP) will be necessary to resolve this problem:
- Confirmation that the IdP service is functioning normally.
- Confirmation that no recent changes were made to the IdP settings. If a recent change was made, the full details will be needed.
-
The latest SAML metadata XML file.
- If your organization uses Microsoft ADFS as the IdP, the metadata file would be available at https://myserver.mydomain.com/federationmetadata/2007-06/federationmetadata.xml, where myserver.mydomain.com is your federation domain name or server name
After that information is received, follow these steps:
- Browse to Admin Console > People > Single Sign-On.
- Click on the SAML tab.
- If you received a new SAML metadata XML file from your IdP, click on the IDP Metadata tab, then paste the contents of that file in the textbox there:
- If any settings were changed recently at the IdP level, review the General and Advanced tabs, and update the settings there accordingly.
- Once all the changes have been applied, click on the Save All SAML Settings button.
- Restart the web application nodes (Jive Cloud customers will have to contact us for this step).
If the issue persists after these steps, please contact us so that ATLAS can assist you. If you are not satisfied with the solution provided by ATLAS, then it will create a ticket for you on which you can provide the information gathered so far.
Some users receive this message
This issue can have multiple causes, depending on the message that appears in the debugging information.
Users may be able to log in again after clearing their browser cache. However, this would be a temporary workaround, and the root cause of the issue will have to be addressed.
The following is a list of error messages that can be searched for on the page, with links that describe how to solve their root causes:
- Authentication statement is too old to be used
- Response issue time is either too old or with date in the future
- Email already exists. This exception indicates a user marshalling error
- External identity already exists
If the error message isn't included in the above list, or the steps described don't resolve the issue, please contact us to get assistance from ATLAS. If the issue is still not resolved, then ATLAS can eventually create a ticket for you where you should provide the following information for each user affected:
- The user's email address or username.
- The time of their last login attempt.
- The debugging information listed at the bottom of the page when the users encounter this error.
"Authentication statement is too old to be used" or "Response issue time is either too old or with date in the future"
There are two possible issues causing this error message to appear:
- The first possibility is a mismatch between the Max Authentication Age in Jive and in the IdP (Identity Provider)
- For example, by default in Jive is this value is 8 hours (28800 seconds), while in Azure the default value is 90 days. You need to change one of the two in order to match with the other one.
- The setting (in seconds) can be found in Admin Console > People > Settings > Single Sign-on > SAML:
- The second possibility is a time sync issue:
- if your IdP is custom or otherwise managed by you, check if the IdP time is correct
- if your instance is On-Premise, you can also verify if the time of your Linux machine is correct
- if your instance is Hosted or Cloud, please contact us.
Email already exists. This exception indicates a user marshalling error
This error is caused by the Jive instance already having a user account with the same email address. To solve this issue:
- Navigate to Admin Console > People.
- Search for the user by typing in their email address.
- Click on their username or email address in the search results.
- Click on the Federate link.
External identity already exists
There may be an invalid SAML entry for the user in their External Identities section. This can be solved by removing that identity by following these steps:
- Navigate to Admin Console > People.
- Search for the user by typing in their email address.
- Click on their username or email address in the search results.
- In the External Identities section, click on the red button that appears in the row where the Type is listed as SAML.
Testing
After following the steps in this article, please ask any users who are still experiencing a login issue to clear their browser cache then try to log in again. If the problem persists, please capture a HAR file from one of the users affected and contact us.
Comments
0 comments
Article is closed for comments.