Skip to main content

SAML troubleshooting

Vadym Andriyevskyy
  • Updated

Any troubleshooting should start with checking IriusRisk logs. In the following link you can learn how to properly extract IriusRisk logs:

https://support.iriusrisk.com/hc/en-us/articles/360049348632

 

Sometimes, even a proper configuration can cause error messages due to outdated tokens coming from IDP. Remember your users to log out from the IDP before they login for the first time into IriusRisk.

 

Check your Identity Provider logs

SalesForce

To see what's going on you can check the Identity Provider Log Event page

9731fcc3f06835d40fbbf5678456fe30933d362923d13db0a0c9d559447ffba9.png

Microsoft Azure

To see the detailed log go to IriusRisk application, and select Sign-ins in Activity section.

azure.png

 

How to get SAML Response XML

In order to understand what is happening during the integration it is crucial to have visibility of the data being send from identity provider (IDP) to the IriusRisk web server. One of the most important messages is when the user got authenticated into the IDP and is being redirected back to IriusRisk. At this point the IDP generates a message called "SAML Response Message" that is delivered to the IriusRisk. This message contains all the necessary fields to properly identify user and the groups that it is part of.

The how to get this message will depend on your browser.

Google Chrome

  1. Press F12 to start the developer console.
  2. Select the Network tab, and then select Preserve log.
  3. Reproduce the issue.
  4. Look for a SAML Post in the developer console pane. Select that row, and then view the Headers tab at the bottom. Look for the SAMLResponse attribute that contains the encoded request.
    Note: The SAMLResponse attribute contains the encoded request; use a Base64 decoder to investigate the decoded response.

Alternatively you can use SAML Message Decoder extension for Chrome that will perform all the hard work for you (recommended).

Firefox

  1. Press F12 to start the developer console.
  2. Select the Network tab.
  3. Select the gear icon (Network Settings) and select Persist Logs option.
  4. Reproduce the issue.
  5. Look for a POST SAML in the table. Select that row. In the Form Data window on the right, select the Params tab and find the SAMLResponse element.
    Note: The SAMLResponse attribute contains the encoded request; use a Base64 decoder to investigate the decoded response.

Alternatively, you can install the SAML Message Decoder add-on in Firefox that will perform all the hard work for you (recommended).

 

Make sure mandatory attributes are set

The SAML Response message MUST contain identifying information of the user with at least the following fields:

  • firstName
  • lastName
  • email

For example, the message should contain similar fields:

...
<AttributeStatement>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
    <AttributeValue>John</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
    <AttributeValue>Doe</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>john.doe@example.com</AttributeValue>
  </Attribute>
...
</AttributeStatement>
...

Without them IriusRisk will not be able to grant access to the user. These fields are also need to be properly mapped in SAMLv2-config.groovy file. More information following this link.

 

User can login inside the IriusRisk but it doesn't have the proper permissions

Our SAML integration allows you manage roles from your IDP mapping them to your user groups or directly from IriusRisk. In case you want to manage them from the IDP, you need to make sure the groups user is member of are being properly sent inside SAML Response message.

For example:

...
<AttributeStatement>
  <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
    <AttributeValue>admin</AttributeValue>
    <AttributeValue>dev</AttributeValue>
    <AttributeValue>view</AttributeValue>
</Attribute>
...
</AttributeStatement>
...

Without them IriusRisk won't know which roles assign to the user and will set it with your default role. These fields are also need to be properly mapped in SAMLv2-config.groovy file. More information following this link.

 

 

After successful login in the identity provider, you are redirected to IriusRisk login page again

Check IriusRisk logs for this message:

saml.SAMLProcessingFilter  - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message

This usually means problems with certificates. The SAML Response message should be properly signed with previously generated key. Make sure you generated it and uploaded both to your Identity Provider and IriusRisk instance. In IriusRisk it should be packaged into Java Key-store and referenced inside SAMLv2-config.groovy.

If the problem persist, try clearing login out from the IDP and clearing your browser's cache.

 

The login is successful on Identity Provider's side, but not on IriusRisk's

Double check that you downloaded the Federation Metadata XML from your IDP after completing all the configuration and have set and activated the certificate. This metadata is mapped in SAMLv2-config.groovy file as idp.xml.

If IriusRisk keeps you auto redirecting to your-iriusrisk-endpoint/log4j/logging and you can see the following logs:

1) org.opensaml.saml2.metadata.provider.MetadataProviderException: Alias iriusrisk-sp is used both for entity test and iriusrisk-sp

You provably haven't properly set IriusRisk metadata file called sp.xml. This metadata should be downloaded from your IriusRisk and then referenced to in SAMLv2-config.groovy file. To download it, run IriusRisk and follow this link https://your-iriusrisk-endpoint/saml/metadata and rename downloaded file as sp.xml. After that, make sure it is referenced in SAMLv2-config.groovy file as follows:

sp {
  file = '/etc/irius/sp.xml'
  ...
}

2) org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder - SAML message intended destination endpoint 'https://your-iriusrisk-endpoint/saml/SSO/alias/iriusrisk-sp' did not match the recipient endpoint 'http://your-iriusrisk-endpoint/saml/SSO/alias/iriusrisk-sp'

Your load balancer is provably not sending the HTTPS headers to IriusRisk server. Make sure it is configured with proxy and xforwarder support.

 

IriusRisk login succeeds, but the user can not see any projects

Check if user have any role assigned. If not, review if you properly mapped the following attributes in SAMLv2-config.groovy file:

userGroupToRoleMapping = [ 'IDP_GROUP':'IRIUSRISK_ROLE' ]
defaultRole = 'IRIUSRISK_DEFAULT_ROLE'

The userGroupToRoleMapping attribute will relate IDP's groups with IriusRisk roles. In case you are using Azure of ADFS, IDP_GROUP value should correspond to the group ID.

The defaultRole attribute indicates to IriusRisk what role should be assigned to the user if it has no other group to role mapped.

Also, in case you are using Azure of ADFS, remember to set the following value as follows:

userGroupAttribute = 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk