Troubleshooting SAML
Introduction
Once configuration has been completed, test functionality by following the steps described in single sign-on settings.
Testing
Upon navigating to the URL in AppsAnywhere, you should be redirected to your identity provider and one of two things should happen:
You are automatically redirected back to AppsAnywhere and logged into the system
You are presented with the login page of your identity provider
If you are faced with the login page of your identity provider, log in as you would usually; you will then be redirected back to AppsAnywhere and hopefully logged into the system
Troubleshooting
A SAML trace tool can be used see what attributes are being passed by the user logging in. Compare the attributes shown in the SAML tracer logs with the attribute being used in AppsAnywhere Single Sign on settings. Some example tools can be found in web browsers e.g. SAML Message Decoder - Chrome Web Store (google.com)
If the identity provider displays an error page after the initial redirect from AppsAnywhere:
Check the SAML logs to determine if there was an issue with the AuthnRequest
If the identity provider displays an error page after you have successfully logged in:
Check the SAML logs to determine if there was an issue with the AuthnResponse
If you are returned to AppsAnywhere but are not logged in (ending up back at the login page):
Ensure the appropriate LDAP connections have been assigned to the SSO method
The Domain Attribute field is required when multiple LDAP connections are configured.
If multiple LDAP connections are used, and an alias is used for the user's domain, then also ensure the returned assertion contains an attribute with the user's domain. The domain attribute then needs to be entered in the Domain Attribute field in the AppsAnywhere SSO method
Ensure the set Username Attribute Name is the name and not the friendly name
Match an example assertion with the configuration in AppsAnywhere, ensuring all fields are set as expected
Pay particular attention to the algorithms and X.509 certificate
If the Domain Attribute Name has been set, ensure it is the name and not the friendly name
When using a Federated Domain Alias, ensure this matches correctly
If multiple domains are in use, ensure the aliases are unique to each connection
Ensure the LDAP connection has any required additional domain name suffixes (e.g. if the users UPN is different from the domain name)
If a 'HTTP ERROR 500' is returned when being returned to AppsAnywhere, check the SAML response contains a signature e.g.
CODE<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_8595c839-1a04-4453-9e2f-f10043767b20"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>A1DmwOanb0SNF5iuejUQbw==</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> oIhCrGNrbUu+1jbVFngqDA==DoZNLAcTIECxYjhW7U1qVQ==oIhCrGNrbUu+1jbVFngqDA==DoZNLAcTIECxYjhW7U1qVQ==oIhCrGNrbUu+1jbVFngqDA==DoZNLAcTIECxYjhW7U1qVQ==oIhCrGNrbUu+1jbVFngqDA==DoZNLAcTIECxYjhW7U1qVQ==oIhCrGNrbUu+1jbVFngqDA==DoZNLAcTIECxYjhW7U1qVQ==oIhCrGNrbUu+1jbVFngqDA==DoZNLAcTIECxYjhW7U1qVQ== </ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ==DoZNLAcTIECxYjhW7U1qVQ== </ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature>
To resolve a missing signature, verify the ADFS command below has been run on the ADFS server:
Set-ADFSRelyingPartyTrust -TargetName <sp_name> -SamlResponseSignature "MessageAndAssertion"
In the majority of the cases above, if you are not the administrator of the identity provider you will likely need to request the assistance of the person who is.