Logs are a great tool to help you understand what is happening in your application and troubleshoot your customer's authentication errors.
If an end-user has tried to log in via SSO and the login failed for some reason, you will see the below log under the relevant environment.
When you open the raw data of the log, you will have
reason fields that will indicate the issue due to which the SAML handshake has failed. Usually this is caused by a mismatch between the SP and the IDP setup.
For example, if you have set
SP Entity ID to be 'Acme' but your customer accidentally used 'Acme.com' when they were setting up their SAML app - the login will fail with an error related to
To understand better where the mismatch occurs, you can take advantage of the
SAMLResponseon the Raw Data of the log.
- Copy the
- Paste it into any online tool such as - https://www.samltool.com/decode.php
- Decode it and you will get an XML file with all the end user's data.
What should you check:
nameId attribute is being passed as email and it is the same email that the user tried to log in with.
Destination attribute is the same as the ACS URL that you configured under SAML settings.
Audience attribute is the same as the SP Entity ID that you configured under SAML settings.
- The certificate in the XML, under
X509Certificate is the same as the certificate that is applied for this SSO connection.
How do I check which certificate is applied to the account?
Go to [Environment] ➜ Accounts ➜ Account ➜ Actions ➜ SSO Configurations
The Public Certificate in the modal is Base64 encoded. You can use any online tool to decode it and compare to the certificate that is passed in the end-user's