Running Secure Authentication Markup Language (SAML) based Single Sign-On (SSO) in debug mode can help you troubleshoot your Identity Provider (IdP) integration.
This article provides some general guidance about troubleshooting SAML SSO.
The configuration is available under Admin Console > People > Settings > Single Sign-On > SAML.
You can enable the debug mode by selecting the Debug checkbox on the Single Sign-On > SAML page. You should disable this setting in production.
Below are some known issues and related details.
An attribute is missing or was mistyped
In the following sample error message, the name of the attribute configured for the user email address was named
com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identity provider. Missing attribute: email. Given attributes: [MAIL, title, companyname, FIRSTNAME, LASTNAME]
"Missing attribute" field in an error message is blank
If Jive is trying to sync a single name as
Lastname, you will see a message like this:
com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identity provider. Missing attribute: .
To work around this problem, set the system property
saml.nameField to the same attribute the first name is populated from.
Authentication works on some nodes, not others
You may discover that the certificates in the metadata for each node are different: Jive metadata will not be the same on each node and so authentication succeeds on some nodes and fail on others. To verify that the same key is being used on each node, go directly to the
/saml/metadata path for each node.
This problem occurs when the Storage Provider File system caching is enabled. To disable it, go to System > Settings > Storage Provider, click Edit, and then select No under Cache Enabled.
A status message in the following format indicates a problem with your IdP configuration.
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/> <samlp:StatusMessage>something_is_wrong</samlp:StatusMessage> </samlp:Status>
An assertion fails on the notBefore condition
If the IdP clock is ahead of the Jive clock by even a second, the
notBefore check fails and you get the following message:
Assertion is not yet valid, invalidated by condition notBefore ?
This problem can be caused by clock drift on either end, but you can also try addressing it by adjusting the Response Skew setting in the General SAML Integration Settings.
Username does not exist in attribute
If the attribute with the username does not exist, you can see the following message:
ERROR org.springframework.security.saml.SAMLProcessingFilter - There was an error during SAML authentication java.lang.IllegalArgumentException: [Assertion failed] - this argument is required; it must not be null
The attribute may be located in the
Subject NameID instead, in which case you should make sure the
Override Subject NameID for
Username checkbox is cleared on the General tab of your SAML settings. Otherwise, you may need to add the
username attribute to the SAML message.