mO SharemO Share

SAML SSO Troubleshooting

This page will help you identify issues and fix them. On facing any issue with Single Sign On, you can go through the list below to figure out your issue and fix it.

The failure can occur at two points -

  1. Test Configuration Failed - This tool is specifically aimed to test the setup of Single Sign-On between your Atlassian application and your IDP.

    On a perfect successful configuration, you get a success message. On any problems, you get one of the following messages with steps to fix the problem on your own very quickly.

  2. SAML SSO Failed - If your Test Configuration works and even then your Single Sign-On fails, you need to tweak your settings a little further to fix the issue.

1. Test Configuration Failed

If the test configuration has been performed in the plugin's IDP configuration tab and results in Test Failed, the possible causes are listed below.

 

Error Code: INVALID_SIGNATURE

in Description: This issue comes when the configured certificate in the plugin's IDP Configuration tab did not match the Certificate in SAML Response.

How can it be fixed?:

  • Copy Expected Certificate from Test window.

  • Paste it in the IDP Signing Certificate text box in IDP Configuration Tab.

  • Save settings.





Error Code: INVALID_CONDITIONS


Description: This issue generally comes up when the Application(Jira, Confluence, Bitbucket, Bamboo, and fisheye) server's time is not within the time interval specified by IDP in SAML Response. Hence, the SAML Response gets invalidated and the SAML app is unable to proceed it even if the difference is in milliseconds.

How can it be fixed?:

  • Read Resolution in the Test window and note the value of the minutes which you need to set in Validate SAML Response.

  • Go to the Advanced SSO tab in the plugin change the value of Validate IDP's SAML Response to minutes mentioned in the Test window and save it.

  • Go to IDP Configuration tab in the plugin try Test configuration again.




Error Code: INVALID_ISSUER


Description: This problem will come when the IDP entity ID / Issuer configured in the plugin does not match with the IDP Issuer.

How can it be fixed?:

  • Copy the value of the Issuer from the Test window. For the reference shown in the picture below.

  • Paste it in the IDP Entity/Issuer text field in the IDP Configuration tab of the plugin.

  • Save settings.





2. SAML SSO Failed

If the Test Configuration Results Success and SAML SSO Failed, the possible causes are listed below. Please check the URL and find the below-mentioned parameter in the URL.

 

Error Code: samlerror=cant_signin_no_access


Description: This problem will come when the user tries to login in Atlassian application and the user has no permission to log in.

How can it be fixed?:

  • Add the user to an application group that gives login permission.

  • Follow this knowledgeBase to assign a group to the user which gives access to the application.



 

 Error Code: samlerror=cant_signin_no_license


Description: No license exits. Single Sign-On will not work unless an app license is applied.

How can it be fixed?:

  • Update license in manage apps sections.





Error Code: samlerror=cant_signin_check_configuration


Description: This issue is caused by multiple reasons and all are listed below.

  1. The creation of new users may be restricted.

How can it be fixed?
Please uncheck the new user creation in the Advanced SSO tab of the plugin.

 

2. It seems multiple users exits with the same email address.

How can it be fixed?:
Please ensure email for all users should be unique if you have enabled Login with email in the Users profile tab of the plugin.

 

3. Username not received in the SAML Response.

 


 

 

If you are looking for anything which you cannot find, please drop us an email on info@xecurifty.com

@ Copyright 2019 miniOrange. All Rights Reserved.