Show/Hide Toolbars

Navigation: SSO-SAML Help

Troubleshooting/Common SAML Issues

Scroll Prev Top Next More

Troubleshooting

Logging

Use the TeamConnect and SAML Gateway log files to troubleshoot issues.

TeamConnect

Set the TeamConnect Authentication logger to DEBUG

SAML Gateway

Debug logging can be enabled on the Logging tab of the administrative console accessible via a web browser at <SAML gateway>/saml/web/logging

 

Note: Use different browsers when accessing the SAML Gateway administration console and logging into TeamConnect via SAML at the same time.

 

Common issues

Issue

Resolution

When generating new metadata, the dropdowns for the ‘Signing key’ and ‘Encryption key’ fields are blank.

Verify that the keystore alias for the encryption key was created using lowercase letters and that the default keystore values in saml.properties have been changed to reflect the keystore being used.

TeamConnect login fails with the following exception in the SAML Gateway log: ‘org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for entity <name> and role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor wasn't found’.

Verify that the value of sp.entityID in saml.properties matches the entity ID of the Service Provider.

TeamConnect login fails with the following exception in the SAML Gateway log: ArtifactResolutionProfileBase.resolveArtifact | Could not decode artifact response message.

  org.opensaml.ws.message.decoder.MessageDecodingException: Error when sending request to artifact resolution service.

 

Caused by: javax.net.ssl.SSLHandshakeException: org.springframework.security.saml.trust.UntrustedCertificateException: Peer SSL/TLS certificate

Check the certificate details in the log file. If the exception is for the IDP domain, import the root certificate for the IDP domain into the SAML Gateway application’s keystore. The IDP URL is defined in idp.xml in the WEB-INF/classes/metadata folder of the application.

On login, TeamConnect displays an error message stating ‘A system error occurred during authentication. Please contact your administrator to check the system logs.’

Verify that SAMLAuthenticator.class has been uploaded to the System/Authentication/SAML/classes folder and the application server was restarted after upload.

On login, the browser redirects endlessly.

Verify that:

There is an active TeamConnect user whose username matches the IDP response credential.

Crypto.class has been uploaded to the System/Authentication/SAML/classes folder and the application server was restarted after upload.

On login, TeamConnect displays a Page Not Found error page instead of the home page.

Verify that the TeamConnect login URL in saml.properties is correct and does not have a ‘/’ at the end i.e. the URL should end with /login and not /login/.

Persistent URLs do not work -- the user is logged into TC successfully but the home page is displayed instead of the requested record.

Verify that the TeamConnect URL in saml.properties has the same hostname as the user requested URL e.g. if the user accesses TeamConnect using http://example.com/TeamConnect/entityrecord/CONT_3, then the URL in saml.properties should be http://example.com/TeamConnect/login and not http://<ip address>/TeamConnect/login