Hey Dev Community,
I’m currently configuring SAML/SSO Authentication through Shibboleth, and when trying to login I get the following error message:
I have checked the event logs and searched based on the error message but was not able to find anything related to the error:
Here is my configuration for SSO:
My best guess is there is an issue correlating the SAML Authentication record to an identity, but if someone is familiar with the error I appreciate the help.
Thanks,
-Rik
Hi @brownric can you add a saml tracer to your browser dev tools and paste the assertion in the post?
I’m still very new for this part, so I hope I captured the correct information:
GET https://ohsu-sb.identitynow.com/r/default/error?errorCode=FailedSAMLAssertion HTTP/1.1
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Referer: https://idpqa.ohsu.edu/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: slpt-cookie-slpt-roi-dashlet-per=o%3A; sp.nonce=FVL84veNPX8tudSjsLAJQQ5otfNQTL6e
HTTP/1.1 200
date: Fri, 13 Jun 2025 17:57:16 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
access-control-allow-origin: *
content-security-policy: base-uri 'self';default-src 'none';object-src 'none';connect-src 'self' app.launchdarkly.com events.launchdarkly.com https://assets.sailpoint.com files.accessiq.sailpoint.com https://ohsu-sb.api.identitynow.com https://ohsu-sb.cam.sailpoint.com;font-src 'self' data: https://assets.sailpoint.com files.accessiq.sailpoint.com;img-src 'self' data: https://assets.sailpoint.com files.accessiq.sailpoint.com https://ohsu-sb.api.identitynow.com;script-src 'self' https://assets.sailpoint.com files.accessiq.sailpoint.com;style-src 'self' 'unsafe-inline' https://assets.sailpoint.com files.accessiq.sailpoint.com;frame-src https://www.youtube.com/ https://play.vidyard.com/;child-src 'none';worker-src blob:;frame-ancestors 'self'
permission-policy: camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=(), web-share=()
x-xss-protection: 0
x-content-type-options: nosniff
referrer-policy: no-referrer
x-frame-options: sameorigin
strict-transport-security: max-age=2592000; includeSubDomains
x-robots-tag: none
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 94f3782a8b112edd-SEA
content-encoding: gzip
Here is a screen shot of the tracer in case that helps too:
Hi @brownric you need the POST request, one above the GET
Thanks!! Here it is:
POST https://ohsu-sb.login.sailpoint.com/saml/SSO/alias/ohsu-sb-sp HTTP/1.1
sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Origin: https://idpqa.ohsu.edu
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://idpqa.ohsu.edu/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: _cq_duid=1.1745513084.l3KHZMO0JxpnjktH; XSRF-TOKEN=0a493d96-ba02-48fe-abde-0dd1479c27e0; SLPTLS=MzE5Mzk0ZDItOGMzNC00ZmVjLWFhYmEtYTJkYmM1NjMyZTdm
HTTP/1.1 302
date: Fri, 13 Jun 2025 17:57:16 GMT
location: https://ohsu-sb.identitynow.com/r/default/error?errorCode=FailedSAMLAssertion
server: nginx
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=31536000 ; includeSubDomains
access-control-allow-origin: *
cache-control: no-cache, no-store, max-age=0, must-revalidate
slpt-request-id: f2a07f26a2ec40cc956141116798ce76
access-control-expose-headers: X-Content-Type-Options,Connection,Pragma,Date,X-Zuul-ServiceId,X-Frame-Options,Strict-Transport-Security,Cache-Control,Retry-After,Expires,SLPT-Request-ID,X-XSS-Protection,Content-Length,Location
x-robots-tag: none
x-robots-tag: none
There should be a saml tab containing the content of the post
Again, Thank You:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://ohsu-sb.login.sailpoint.com/saml/SSO/alias/ohsu-sb-sp"
ID="_f1b1d3070df202d6987e37e1ff7dc414"
InResponseTo="ARQ4cc5baa-6b47-41ce-a555-465a8969b229"
IssueInstant="2025-06-13T17:57:16.222Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idpqa.ohsu.edu/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_f1b1d3070df202d6987e37e1ff7dc414">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>W1+FZAcS8FNbr3XhBX3iIA02UvjE+DhDBXn0JrslCZM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fOEe+YxyCdguzFFYZRfk8HkOTTLFAJcA3kicXBUDC+urnIyvBVJvtcb0EHsEpn6Zu8vQSiPlG/VLW0At5sC9GOdZaerXHiGxQEsXRKNDtkt3lFozMq3d1yFWNfczV4YuiPTomSFV0CIEoGan6jpjaMhL59GrAOkeXRTiu5ckuTpvBH+1g0uxj0sw2H9Ui+P+glyuDhVDMJzZnFOSrQeWKBPFpQqlp5TuV+47ncjwnA3z7e8LuABO2xwEbCTvogvIfQuQu4H3U9BEpSV13sAthXIAbqsLCgPv6o44wgThe9mQ/+M2k/hJRuhzT0ZL6150FARXEvn6l9UIWo91Ia5djA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDIzCCAgugAwIBAgIUN5lvOmJaeYJTZUY9dBeGnqTtQkwwDQYJKoZIhvcNAQELBQAwGTEXMBUG
A1UEAwwOaWRwcWEub2hzdS5lZHUwHhcNMTYwMTI4MjE1NzI1WhcNMzYwMTI4MjE1NzI1WjAZMRcw
FQYDVQQDDA5pZHBxYS5vaHN1LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI5L
DC7zdPQVVR5AMXJq0svALIcMdP3X2w6bA0M93nbSQ6szhZ6+z1RoT+F/z+CMchf5CChfs2V6UPvy
eDgk3UVS1IQ020lxZy+eP7uDy9/TVN7thXo2X751uA4e0jaSCcZgMXT9S7LLkUG4n3uvXhlpCOgE
tDcRTGRHVjlu7u9bqRnnl+VAxgT9L3dDbvjIsZ6YGJN1POodpHxbd92A9SAxye8KVY9rJ0HL3+e0
n/KcWI6YAwlvQjnrZH0o/47v6RN5lJmzNwqoSct0AygVJpODWyydVP3E+zXSeI6wYniNHw6BsrjY
1hEculV8vHjbsB+W9czRUkqG2G+59sV9PZcCAwEAAaNjMGEwHQYDVR0OBBYEFPwyos3VU5ZPixy4
NjYV2IJPB7BRMEAGA1UdEQQ5MDeCDmlkcHFhLm9oc3UuZWR1hiVodHRwczovL2lkcHFhLm9oc3Uu
ZWR1L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQBY1lgpdnMGR0I9SQALAj5P1qr0
VC8UJx9uBZ72TrK3yueNwg/5HMoZrt68mV889GpWGiq1ulHYsXq3Alpsqx8SD0ynlQu3NMWtsm+E
hf+nB6kshn2ZcxSKNwyQ8TkcWoIhm7CzN2LdzGNVUOqIKnnHX4IhO3XLbZeJ5PsarCOpin7UZKeI
IRYMt8Qp7C7X+VYHPo5WKz/1rpzoSXRFHK9rbkvX5QUKi+B68zAH/a2gLDS0OHxOuwG+LVpbNgoO
NrbP37P1gM/tMI23j0VJHcBTwML80bl/I9MDiM4kFWDN7phgXeU7/TPHmMc2Jfn5XS6elTNz1rI0
FdiihFwcM4OR</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_a7b909430fd9fa7002215a1730cc153a"
IssueInstant="2025-06-13T17:57:16.222Z"
Version="2.0"
>
<saml2:Issuer>https://idpqa.ohsu.edu/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>[email protected]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="206.212.228.24"
InResponseTo="ARQ4cc5baa-6b47-41ce-a555-465a8969b229"
NotOnOrAfter="2025-06-13T18:02:16.226Z"
Recipient="https://ohsu-sb.login.sailpoint.com/saml/SSO/alias/ohsu-sb-sp"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2025-06-13T17:57:16.222Z"
NotOnOrAfter="2025-06-13T18:02:16.222Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://ohsu-sb.identitynow.com/sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2025-06-13T17:57:15.437Z"
SessionIndex="_f4ad459e626859c194b656361ce8b86d"
>
<saml2:SubjectLocality Address="206.212.228.24" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="uid2"
Name="uid"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue>brownric</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[email protected]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Hi @brownric
Your Identity Provider is asserting that the name of the subject is [email protected] in the NameID attribute.
ISC has to know how to look up that attribute. That is the purpose of the Identity Mapping Attribute in the ISC SAML config.
You’ve currently got samaccountname in there, where I assume you should have email address.
TBH, I prefer something more immutable in there, such as samAccountName (if it is an identity attribute), but you are asking for an email format NameID in the SAML NameId parameter. So, alternatively, you could change that to unspecified and the IdP may well return the samAccountName.