Troubleshooting for SAML Authentication

Article Number:02035

This section describes how to troubleshoot SAML authentication problems.

If Misconfiguration of SAML Authentication Causes Login Failures

If you fail to configure SAML authentication, users might no longer be able to single signing-on to Kintone.
If you fail to single signing-on, use a password authentication as described in the following steps to log in to Kintone.

  1. Access the URL below.
    https://(subdomain_name).kintone.com/login?saml=off
  2. Log in to Kintone using the login name and password registered in Kintone Users & System Administration.

Error messages Related to SAML Authentication

No user account for that NameID found.

Code
SLASH_SA01
Cause
Kintone has no user whose login name matches the NameID in the SAML response.
Solutions
  • Configure your IdP so that the NameID specifies an element to identify a user.
  • Ensure that the value associated with the NameID corresponds to the login name of a Kintone user.

Corresponding AuthnRequest not found.

Code
SLASH_SA02
Cause
This occurs in the following cases:
  • Multiple SAML requests were issued in one session.
    Example:
    • A user tried to single sign-on from multiple tabs in one Web browser.
    • After a user single signed-on, the user clicked the "Back" button of the Web browser to see the endpoint URL of Kintone.
  • An IdP-initiated SSO process was tried.
Solutions
  • Ensure that users do not perform actions that generate multiple SAML requests in one session.
  • Configure your IdP so that it can use SP-initiated SSO.

The SAML response is not found in the request parameter.

Code
SLASH_SA03
Cause
There is no SAML response in the request parameter that the IdP sent to Kintone.
Solutions
Confirm that nothing prevents the SAML response from being sent.

Invalid SAML Response.

Code
SLASH_SA04
Cause
There is no SAML response in the request parameter that the IdP sent to Kintone.
Solutions
Check the settings related to failed validation results.
Also refer to the following section:
Checking the Validation Results for the SAML Response

Invalid HTTP method. Use POST as the HTTP method.

Code
SLASH_SA05
Cause
HTTP POST Binding is not being used to send the SAML response.
Solutions
  • Configure the IdP so that HTTP POST Binding is used to send the SAML response.
  • Verify that the HTTP method was not changed to anything other than POST in a process such as a proxy server.

Failed to process SAML response.

Code
SLASH_FA01
Cause
The SAML response cannot be processed due to an unexpected error.
Solutions
Please contact Kintone Corp.

Checking the Validation Results for the SAML Response

When a SAMLResponse verification has failed, try the following solutions based on the validation result:

When the current time falls within the period specified with the NotBefore and NotOnOrAfter attributes of the Conditions element

The system time for IdP and Kintone might be different. Configure the IdP so that the system time is set correctly.

When the InResponseTo attribute of the SubjectConfirmationData element matches the AuthnRequest ID

A user might have tried to single sign-on from multiple tabs in one Web browser. Check whether the error still occurs when a user logs in from just one tab.

When the Audience element is correct

An invalid entity ID might have been set when you registered Kintone as an SP. The entity ID of the SP must be set to the following value: https://(subdomain_name).kintone.com

When at least one of the signatures in Assertion or Response elements exists and also all entered signatures are valid

The public key certificate might be invalid.
Attach a valid certificate in the "Certificate" section on the "Login Security" page in "Kintone Users & System Administration". The certificate must be an X.509 certificate generated with either the RSA or DSA algorithm.