Troubleshoot SAML Authentication

Errors in the CMS UI error log

[https-jsse-nio-8449-exec-1] SamlLoginUtils - Failed to get SAML configuration

If you are running CMS UI in standalone mode, check that the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.

If you are running CMS UI in embedded mode, check that the UCMDB server started successfully.

IDP Endpoint could not be null

If you are running CMS UI in standalone mode, check that the mam.server.sso.saml.auth.idp property in the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.

If you are running CMS UI in embedded mode, check that the setIDPEndpointForSAMLAuthentication method in JMX console is configured correctly.

Username claim type could not be null

If you are running CMS UI in standalone mode, check that the mam.server.sso.saml.auth.username.claimtype property in the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.

If you are running CMS UI in embedded mode, check that the setSAMLClaimTypeContainingUserName method in JMX console is configured correctly.

Request issuer could not be null

If you are running CMS UI in standalone mode, check that the mam.server.sso.saml.auth.request.issuer property in the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.

If you are running CMS UI in embedded mode, check that the setAuthRequestIssuer method in JMX console is configured correctly.

Response issuer could not be null

If you are running CMS UI in standalone mode, check that the mam.server.sso.saml.response.issuer property in the saml_configuration.properties file (in the <CMS UI home>/conf directory) is configured correctly.

If you are running CMS UI in embedded mode, check that the setSamlResponseIssuer method in JMX console is configured correctly.

UI Error Messages

"Could not extract IdP authenticated user from SAML Response. The assertion cannot be used before …" or "Could not extract IdP authenticated user from SAML Response. The assertion cannot be used after..."

This issue occurs when the system time on the AD FS server and on the UCMDB Server or CMS UI server is incorrectly skewed. The AD FS server system clock must be set to a time later than that of the UCMDB Server or CMS UI server. If this is not the case, you must set a time skew to offset the time difference. The time skew is measured in seconds.

You can set the time skew by using the setSamlTimeSkew method in JMX console and the mam.server.sso.saml.time.skew property in the saml_configuration.properties file (in the <CMS UI home>/conf directory).

By default, the time skew is 0.

For example, if the value of the setSamlTimeSkew method is 60, the AD FS server system clock can be up to 60 seconds earlier than the system clock on the UCMDB Server or CMD UI server.

Login Issues

I configured AD FS but the browser is redirected back to the AD FS login page when I try to log in

This issue occurs when you fail to log in to AD FS.

To resolve this issue, follow these steps:

  1. Check whether the AD FS public key was imported to the <CMS UI>/conf/server.truststore file. The alias of this public key must be the same as that in the setIdpCertificateAlias method in JMX console and in the mam.server.sso.saml.auth.certificate.alias property in the saml_configuration.properties file (in the <CMS UI home>/conf directory).
  2. Check the value in the Relying party identifiers field under the Identifiers tab of the Relying Trust Party in AD FS. This value must be the same as that in the setAuthRequestIssuer method in JMX console and in the mam.server.sso.saml.auth.request.issuer property in the saml_configuration.properties file (in the <CMS UI home>/conf directory).

Tip The values may not match due to an additional slash ("/") at the end of the identifier.

I configured AD FS but I receive a "no permission" error when I try to log in

This issue occurs when you do not have permission to log in to the UCMDB Server.

To resolve this issue, go to UCMDB Server and create a group for your user profile. The group ID should be set in the setSamlUserDefaultGroup method in JMX console and in the mam.server.sso.saml.auth.default.group property in the saml_configuration.properties file (in the <CMS UI home>/conf directory). The two value must be same.

You can also create a group with the same name as the group in AD FS. For example, you belong to a group named "Domain users" in ADFS, and the domain name is "samltest.com". In this situation, you would create a group named "samltest\Domain users". When you next log in, you will be added to the group.

Tip Do not forget to set a profile for the group.

I have logged in using the AD FS login page, but a blank page is displayed in UCMDB Server or CMS UI, and an external user named "NULL" is created in UCMDB Server

First, check the server.truststore file (in the <CMS UI home>/conf directory) to make sure that the IDP token_signing certificate was successfully imported.

Then, check the Claim Issuance Rules to make sure that all three rules (CommonName, Group, NameID) are configured correctly.

Logout Issues

I can log in with SAML authentication, but when I click the Logout button I am logged in again

This issue occurs when you fail to log out from AD FS.

To resolve this issue, follow these steps:

  1. Check your UCMDB private key in the server.keystore file (in the <CMS UI>/conf/ directory). The private key alias must be the same as that in the setSamlLogoutCertAlias method in JMX console and in the mam.server.sso.saml.logout.certificate.alias property in the saml_configuration.properties file (in the <CMS UI home>/conf directory).
  2. Open the Signature tab of the Relying Trust Party in AD FS to check whether your UCMDB public key was imported.
  3. Open the Edit Claim Issuance Policy window of the Relying Trust Party in AD FS to check that three rules are added.