Skip to main content

Troubleshooting

When single sign-on (SSO) fails, the user receives an Access Denied message. Failure is often the result of misconfiguration. Following is a description of many of the common issues that may result in access being denied, including:

  • Single sign-on disabled
  • Identity provider Entity ID (Issuer) mismatch
  • Missing required attributes
  • Invalid or missing signature on SAML Response
  • User not found and can’t be created or linked

Single sign-on disabled

The Single sign-on configuration can be optionally disabled after it is configured to prevent users from logging in through the configured SAML identity provider. To re-enable SSO, go to Manage > Account > Company Settings | Single Sign-On, then click Enable. See Configure single sign-on for configuration details.

Identity provider Entity ID (Issuer) mismatch

SAML identity providers must include their entity ID in the Issuer attribute of the SAML response returned to the marketplace. The value sent must exactly match the value configured in the Entity ID (Issuer) field of the Identity Provider Configuration section, as shown in the following example:

<saml:Issuer>https://www.example.com</saml:Issuer>

Service provider Entity ID (Issuer) mismatch

SAML identity providers must include the service provider’s entity ID in the Audience and Recipient attributes of the SAML response returned to the marketplace. The value sent must exactly match the generated value for Entity ID (Issuer) in the Service Provider Configuration section, as shown in the following example:

      <saml:AudienceRestriction>        
**<saml:Audience>https://marketplace.example.com/saml/login/63e9c1a8-afcc-41ef-888a-3cc8c98b273a</saml:Audience>**
      </saml:AudienceRestriction>

    <saml:Subject>
      <saml:NameID 
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john.smith@example.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData 
**Recipient="https://marketplace.example.com/saml/login/63e9c1a8-afcc-41ef-888a-3cc8c98b273a"** NotOnOrAfter="2018-04-20T01:38:34.821Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>

Missing required attributes

If Automatic user creation is enabled, FirstName, LastName, and Email must be included in the AttributeStatement of the SAML assertion. If User account linking by email is enabled then Email is required.

📝 Note: Attribute names must exactly match those defined in the table above, as shown in the following example.

    <saml:AttributeStatement>
      <saml:Attribute Name="**Email**" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xs:string">john.smith@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="**FirstName**" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="**LastName**" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>

Invalid or missing signature on SAML Response

The SAML response returned to the marketplace must be digitally signed using a key associated with a public Verification certificate defined in the Identity Provider Configuration pane of the Single sign-on configuration page in the user interface. See Configure single sign-on for more information.

📝 Note: AppDirect supports signing the SAML assertion or full response.

User not found and can’t be created or linked

After the SAML response is validated AppDirect attempts to look up the user by using the value sent in the NameID attribute and matching it to the external ID attribute associated with the marketplace user record. A user’s external ID can be set in the following ways:

  • Account linking (SSO flow)
  • Automatic user creation (SSO flow)
  • API

If the user is not found, the marketplace attempts to automatically create the user, or link to the user, based on how you configured SSO (see Configure single sign-on to learn more about configuration options).

User account linking by email—After account linking is enabled, the marketplace uses the Email attribute (included in the SAML response) to look up the user by their primary email address. If a user is found with a matching email address the external ID is set to the NameID value (used for subsequent logins) and the user is redirected to their target marketplace page.

Automatic user creation—If the user is not found by email (or account linking is disabled) the marketplace attempts to create the user when Automatic user creation is enabled. In this case, FirstName, LastName, and Email are all required to be included in the SAML response. After the user is successfully created, the user’s external ID is set to NameID value (used for subsequent logins) and the user is redirected to their target marketplace page.

📝 Note: Automatic user creation fails if a user already exists with the same email address. This scenario may be encountered when account linking is disabled and automatic user creation is enabled.

Was this page helpful?

Tell us more…

Help us improve our content. Responses are anonymous.

Thanks

We appreciate your feedback!