Troubleshooting SAML SSO

Running SSO in debug mode can help you troubleshoot your integration.

Fastpath:
  • Admin Console > People > Single Sign-On, then the SAML tab
  • Advanced Admin Console > People > Settings > Single Sign-On, then the SAML tab

You can enable the debug mode by selecting the Debug check box on the Single Sign-On > SAML tab. You should disable this setting in production.

An attribute is missing or was mistyped

In the following sample error message, the name of the attribute configured for the user email address was named email, but that doesn't exist in the saml message. In this example, MAIL is the name of the correct attribute.

com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identity provider. Missing attribute: email. Given attributes: [MAIL, title, companyname, FIRSTNAME, LASTNAME]
"Missing attribute" field in an error message is blank

If Jive is trying to sync a single name as Firstname and Lastname, you will see a message like this:

com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identity provider. Missing attribute: .

To work around this problem, set the system property saml.nameField to the same attribute the first name is populated from.

Authentication works on some nodes, not others
You may discover that the certificates in the metadata for each node are different: Jive metadata won't be the same on each node and so authentication succeeds on some nodes and fail on others. To verify that the same key is being used on each node, go directly to the /saml/metadata path for each node.

This problem occurs when the Storage Provider File system caching is enabled. To disable it, go to System > Settings > Storage Provider, click Edit, and then select No under Cache Enabled.

"Responder" message

A status message in the following format indicates a problem with your IdP configuration.

<samlp:Status>  
<samlp:StatusCode  
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
<samlp:StatusMessage>something_is_wrong</samlp:StatusMessage>  
</samlp:Status>
An assertion fails on the notBefore condition

If the IdP clock is ahead of the Jive clock by even a second, the notBefore check fails and you get the following message: 

Assertion is not yet valid, invalidated by condition notBefore ?

This problem can be caused by clock drift on either end, but you can also try addressing it by adjusting the Response Skew setting in the General SSO settings. For more information, see Response Skew in Configuring SSO with SAML.

username doesn't exist in attribute
If the attribute with the username does not exist, you can see the following message: 
ERROR org.springframework.security.saml.SAMLProcessingFilter - There was an error during SAML authentication  
java.lang.IllegalArgumentException: [Assertion failed] - this argument is required; it must not be null

The attribute may be located in the Subject NameID instead, in which case you should make sure the Override Subject NameID for Username checkbox is cleared on the General tab of your SAML settings. Otherwise, you may need to add the username attribute to the SAML message.