Logs are a great tool to help you understand what is happening in your application and troubleshoot your customer's authentication errors.
If an end-user has tried to log in via SSO and the login failed for some reason, you will see the below log under the relevant environment.
When you open the raw data of the log, you will have error
and reason
fields that will indicate the issue due to which the SAML handshake has failed. Usually this is caused by a mismatch between the SP and the IDP setup.
For example, if you have set SP Entity ID
to be 'Acme' but your customer accidentally used 'Acme.com' when they were setting up their SAML app - the login will fail with an error related to audience
.
To understand better where the mismatch occurs, you can take advantage of the
SAMLResponse
on the Raw Data of the log.
- Copy the SAMLResponse
- Paste it into any online tool such as - https://www.samltool.com/decode.php
- Decode it and you will get an XML file with all the end user's data.
What should you check:
- nameId
attribute is being passed as email and it is the same email that the user tried to log in with.
- The Destination
attribute is the same as the ACS URL that you configured under SAML settings.
- The Audience
attribute is the same as the SP Entity ID that you configured under SAML settings.
- The certificate in the XML, under X509Certificate
is the same as the certificate that is applied for this SSO connection.
How do I check which certificate is applied to the account?
Go to [Environment] ➜ Accounts ➜ Account ➜ Actions ➜ SSO Configurations
The Public Certificate in the modal is Base64 encoded. You can use any online tool to decode it and compare to the certificate that is passed in the end-user's SAMLResponse
.