Troubleshoot Service Manager SAML SSO setup

If your SAML SSO setup fails, see the following issues and their solutions for troubleshooting.

Problem Symptom Solution
Failed to download the IdM metadata

When launching the IdM metadata URL in a browser, the IdM metadata is not displayed correctly.

Make sure your IdM configurations comply with the instructions before the "Download the IdM metadata" task described in Install and configure the standalone IdM service.

IdP login page not displayed

After launching the Service Manager web tier, SRC, or Mobility Client URL in a browser, you are redirected to the HPE Propel login page, rather than the IdP (ADFS) login page.

If you can see the IdM login page (that is, the HPE Propel login page), the IdM configuration on the Service Manager side is correct. You need to check the SAML configuration in the IdM service.

For details, see the "Deploy the IdM service and configure SAML SSO" and "Create a trust relationship with the ADFS" tasks in Install and configure the standalone IdM service.

IdP login failure with an "Invalid token" error After entering credentials in the IdP (ADFS) login page to log in, an "Invalid token" error is returned.

Check that you have replaced your JRE policy files with the unlimited strength JRE policy files.

For details, see the "Replace JRE policy files for the IdM server" task in Install and configure the standalone IdM service.

IdP login failure with an "Invalid tenant" error After entering credentials in the IdP (ADFS) login page to log in, an "Invalid tenant" error is returned.

This issue occurs when the IdM tenant configured on the Service Manager side is different than in the IdM service.

Check the following files:

  • <idm-service>\WEB-INF\classes\seeded\samples\com.hpe.tenant1__1.3.2.1__Add_Update_Saml_Configuration.json
  • /WEB-INF/webtier.properties of the SM web tier, SRC, or Mobility Client

Make sure the idm.tenant parameter in the webtier.properties file is set to the name field of tenant in the .json file of the IdM service.

IdP login failure with an "Invalid login name/password" error

After entering credentials in the IdP (ADFS) login page to log in, the following error is returned:

A CXmlApiException was raised in native code : error 3 : login(3): Invalid login name/password. Please try again.

This issue occurs when the NameID field in ADFS and the name field in the SM operator table are not mapped to the same LDAP attribute.

Make sure the two fields are mapped to the same LDAP attribute.

Redirected to an "Invalid Token" page after clicking login

You have stayed on the ADFS login page for quite a while (for example, hours) and then you click login. ADFS redirects you to an "Invalid Token" page that reads:

The request token is invalid. It may have already been used or has expired.

Perform the following steps:

  1. Close your browser.
  2. Reopen your browser.
  3. Log in again.