Troubleshooting for SAML Authentication

This section describes how to troubleshoot SAML authentication problems.

If Misconfiguration of SAML Authentication Causes Login Failures

Users cannot log in to Kintone when SAML authentications is failed.
However, only Kintone Users & System administrators can log in to Kintone using the standard authentication in Kintone from the URL below.

  1. Access the URL to disable SAML authentication.
    https://(subdomain_name).kintone.com/login?saml=off
    If you want to allow users other than administrators to use this URL, you need to disable the setting to use only SAML authentication when logging in.
    For details, refer to Enabling to Use Only SAML Authentication When Logging In.

  2. Log in to Kintone using the login name and password registered in Kintone Users & System Administration.

Errors Related to SAML Authentication

Error Code Error Message Cause Solution
SLASH_SA01 No user account for that NameID found. Kintone has no user whose login name matches the NameID in the SAML response.
  • Configure your IdP so that the NameID specifies an element to identify a user.
  • Ensure that the value associated with the NameID corresponds to the login name of a Kintone user.
SLASH_SA02 Corresponding AuthnRequest not found. This occurs in the following cases:
  • Multiple SAML requests were issued in one session.
    Example:
    • A user tried to single sign-on from multiple tabs in one Web browser.
    • After a user single signed-on, the user clicked the "Back" button of the Web browser to see the endpoint URL of Kintone.
  • An IdP-initiated SSO process was tried.
  • Ensure that users do not perform actions that generate multiple SAML requests in one session.
  • Configure your IdP so that it can use SP-initiated SSO.
SLASH_SA03 The SAML response is not found in the request parameter. There is no SAML response in the request parameter that the IdP sent to Kintone. Confirm that nothing prevents the SAML response from being sent.
SLASH_SA04 Invalid SAML Response. The Response element in the SAML response was invalid. Check the settings related to failed validation results.
Also refer to the following section:
Checking the Validation Results for the SAML Response
SLASH_SA05 Invalid HTTP method. Use POST as the HTTP method. HTTP POST Binding is not being used to send the SAML response.
  • Configure the IdP so that HTTP POST Binding is used to send the SAML response.
  • Verify that the HTTP method was not changed to anything other than POST in a process such as a proxy server.
SLASH_FA01 Failed to process SAML response. The SAML response cannot be processed due to an unexpected error. Please contact Kintone Corp.

Checking the Validation Results for the SAML Response

Try the following solutions when a SAMLResponse verification has failed:

  • When the current time falls within the period specified with the NotBefore and NotOnOrAfter attributes of the Conditions element
    The system time for IdP and Kintone might be different. Configure the IdP so that the system time is set correctly.
  • When the InResponseTo attribute of the SubjectConfirmationData element matches the AuthnRequest ID
    A user might have tried to single sign-on from multiple tabs in one Web browser. Check whether the error still occurs when a user logs in from just one tab.
  • When the Audience element is correct
    An invalid entity ID might have been set when you registered Kintone as an SP. The entity ID of the SP must be set to the following value: https://(subdomain_name).kintone.com
  • When at least one of the signatures in Assertion or Response elements exists and also all entered signatures are valid
    The public key certificate might be invalid. Attach a valid certificate in the "Certificate" section on the "Login Security" page in "Kintone Users & System Administration". The certificate must be an X.509 certificate generated with either the RSA or DSA algorithm.